Slide 1

Download Report

Transcript Slide 1 

Data Security and Payment Card Acceptance
Presented by:
Brian Ridder
Senior Vice President
First National
September 10, 2009
Presentation Overview
•
•
•
•
Why Should I Care?
Safety in “Numbers”
PCI – What is This?
PCI “Digital Dozen” – Does it Make
a Difference?
• Legislation – Uncle Sam and
Friends are Here to Help
• Future Steps
• I’ve Been Breached, What Happens
Next?
Data Security and Payment Cards
Why Should I Care?
• Do
you have insurance
for identifiable business
SAMPLE
TEXT
risks?
• Is it challenging to attract new and retain existing
customers?
• Are credit or debit cards are meaningful percentage
of your payment tender types?
• Do you want to focus your resources on growing
your business or possibly seeking out your
customers to notify them that they payment card
information has been compromised?
• Do you believe negative events at your company can
impact your brand?
© FIRST NATIONAL BANK
Data Security and Payment Cards
Safety in Numbers? Not so much …
SAMPLE TEXT
•
•
•
•
2004 – BJ’s Wholesale
2005 – Designer Shoe Warehouse (DSW)
2007 – TJ Maxx, OfficeMax, Dave & Busters, 7- 11
2008 – Hannaford Brothers Grocery
• Dec 2007 to March 2008 – 4 million cards
• 1,800 fraudulent charges made – 21 civil claims
• 2009 – Heartland Payment Systems
• Fall 2008 to January 2009 - to date $12.5 million in fines.
© FIRST NATIONAL BANK
Data Security and Payment Cards
According to a report released August 17,
SAMPLE
TEXT
2009 by the Ponemon Institute and
funded by encryption firm PGP, the cost of
a data breach for companies has risen to
$202 per lost record, up from $197 in the
institute's 2007 study. For the 47
companies audited in the study, those
costs added up to $6.6 million per incident.
© FIRST NATIONAL BANK
Data Security and Payment Cards
PCI – What is This?
SAMPLE TEXT
Collaborative based approach by major card
brands: Visa, MasterCard, Discover,
Amex, JCB to address card industry data
security on a proactive and unified
approach.
© FIRST NATIONAL BANK
Data Security and Payment Cards
PCI “Digital Dozen” – Does it Make a Difference?
SAMPLE
TEXT
Build
and Maintain
a Secure Network
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across
public networks
© FIRST NATIONAL BANK
Data Security and Payment Cards
Maintain a Vulnerability Management Program
SAMPLE
TEXTupdate anti-virus software
5. Use
and regularly
6. Develop and maintain secure systems and
applications
Implement Strong Access Control Measures
7. Restrict access to data by business need to
know.
8. Assign a unique ID to each person with
computer access.
9. Restrict physical access to cardholder data
© FIRST NATIONAL BANK
Data Security and Payment Cards
Regularly Monitor and Test Networks
10.SAMPLE
Track and TEXT
monitor all access to network
resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information
security.
© FIRST NATIONAL BANK
Data Security and Payment Cards
To become compliant what does a company need to do?
SAMPLE TEXT
1.
2.
3.
Complete a Self Assessment Questionnaire (SAQ)
Complete a network vulnerability scan if you have a
external connection.
On site PCI audit if you are a large card transacting
merchant.
© FIRST NATIONAL BANK
Data Security and Payment Cards
Does PCI - the Digital Dozen make a difference?
SAMPLE TEXT
Merchant awareness :
Merchant action:
Post breach forensic findings:
© FIRST NATIONAL BANK
Data Security and Payment Cards
Legislation – Uncle Sam and Friends are
SAMPLE
TEXT
Here to Help You.
• 2009 Legislation
• 2008 and prior legislation
© FIRST NATIONAL BANK
Data Security and Payment Cards
Likely Future Industry Steps
SAMPLE TEXT
• Credit card processors will really expect
compliance
•
• Solutions for non-access
storage
• End to end encryption
© FIRST NATIONAL BANK
Data Security and Payment Cards
I’ve Been Breached, What Do I Do?
SAMPLE TEXT
1. Immediately contain and limit the exposure.
Prevent further loss of data by conducting a thorough investigation of the
suspected or confirmed compromise of information. Preserve evidence
and help facilitate the investigation.
2. Alert all necessary parties immediately. :
–
–
–
Your internal information security group and incident response team.
Your merchant bank.
Your local office of the United States Secret Service.
3. Provide all compromised payment card accounts to your merchant
bank within 10 business days.
The payment brands will distribute the compromised account numbers to
Issuers and ensure the confidentiality of entity and non-public information
© FIRST NATIONAL BANK
Contact information:
Brian Ridder
Senior Vice President
First National Merchant Solutions
[email protected]
402-633-1875