RDX Sales Presentation

Download Report

Transcript RDX Sales Presentation

The Future of Electronic Payments
Security & PCI Compliance
Greg Grant
Vice President – Managed Security Services
Payment Technology Trends
• Enterprise Class Businesses
• Migration/Early adoption of newer payment technologies such as Point-to-Point
Encryption (P2PE)
• Leading the “charge” for EMV implementation
• Small-to-Mid Sized Businesses (SMB’s)
• Focus on upgrading POS operating systems, equipment, devices
• Remain highest users of traditional Terminal/Server systems
• Movement away from dial-up to Internet connected processing
• Everyone is looking at wireless enabled payment systems
Major driving force behind technology changes is PCI, but not necessarily SECURITY
Payment Technology Realities
• Data breaches and card theft continues to go up
• PCI compliance rates are up / so are breaches ???
• Networks remain “flat” so sensitive data can be targeted via other IP connected devices
• Hackers are looking downstream (SMB’s) because they are the most unsecured
• Most businesses either do not properly deploy and maintain security technologies (plus
resources) or they cannot afford it
• Businesses have adopted a “check box” mentality and are only concerned about getting
their PCI Certificate of Compliance
• Believe that PCI compliance means they are secure
• Confusion over PA DSS and PCI DSS
• Mandates are getting harder to comply with in 2015
• Big emphasis on companies providing services that could impact cardholder data
Common Network Landscape – Highly Unsecure
Common Network Landscape – Highly Unsecure
Common Network Landscape – Highly Unsecure
Common Network Landscape – Highly Unsecure
Properly Secured Data Network
Changes To PCI Mandate
Emphasis on Service Providers
•
Service Providers (SP) are defined by the PCI Council as: “Companies directly involved in
the processing, storage, or transmission of cardholder data, or companies that provide
services that could impact the security of cardholder data.” Common examples include:
Transaction Processors, Payment Gateways, Managed Service Providers, or Web Hosting
Providers.
•
A service provider is any “business entity that is not a payment brand, directly involved in
the processing, storage, or transmission of cardholder data on behalf of another entity.”
This includes companies that provide services that control or could impact the security of
cardholder data.
•
There is already a requirement in every SAQ to maintain a written agreement with each
SP, and have a process for monitoring a Service Provider’s PCI Compliance status. In
addition,
•
All SAQ’s now have a place in the Executive Summary to input Service Providers
•
New requirement 12.8.5 states a list must be maintained of which PCI DSS requirements
are managed by the Service Provider and which by the merchant
Changes To PCI Mandate
•
All companies will have to NAME their service provider when filling out their self
assessment questionnaire (SAQ) beginning in January 2015
•
Clear transfer of risk and exposure to all companies that implement, service or
maintain POS systems, IT systems and/or ancillary IP connected
equipment/services
•
Service providers are largely the ones that companies look to for help with
security and PCI
•
As a service provider, you must look for ways to ensure your risk and exposure
is limited
•
•
•
Become a PCI compliant service provider
Have every implementation and system change “audited”
Outsource
A Solutions Approach
• Look to subscription based managed services that ensure continuous network security
and PCI compliance as a by product
• Focus needs to be on protecting sensitive data systems (payments, health
records,
personal information, etc) along with all other Internet traffic - not just the card data!
• Cloud-based - No need for clients to invest in expensive equipment, software or
additional personnel
•
Certification – There are many managed offerings on the market, but certification (look
for PCI L1) will ensure you’re not at risk should a breach occur
•
Feature Rich – A few offer secure WiFi, 3G/4G backup, Content Filtering and many
more benefits
•
Breach Protection/Insurance – Extend the ability to offset unfunded risk should a
breach occur
THANK YOU