PCI FUD - Fear, Uncertainty and Dollars
Date: Thursday, February 16, 2012
Duration: 60 minutes
2011 proved to be a memorable year for data security. Labeled by some as, “Breach Fest 2011”, the increased level of data breaches reminds us all how important it is to put a focus on network security as we move into 2012. Numerous well-known brands like Subway, Restaurant Depot, Sony, Michael’s and McDonald’s all suffered as a result of data theft last year.
Watch this webinar recording to learn more about how these breaches occurred, what the real risks are if you are breached and what steps you can take to prevent your business from becoming the next victim.
During this webinar we discuss:
- The evolving technology threats that you face in your business
- A review of recent breaches to hit the newswire
- The real costs associated with a breach
- How a breach could impact your business
Download a PDF containing all slides from the presentation.
Webinar Recording
Question and Answer (Click on the question to view the answer)
No, there is nothing you should be concerned with when choosing to bundle multiple services with SecureConnect. We offer numerous services in order to provide our customers with a convenient single-source vendor. You can partner with as many vendors as you want and our technical assistance center is more than willing to work with other vendors in order to secure your network. However, there are key advantages with having our company handle your network security and ASV scans:
1. We have a single online portal that is a one-stop for you to manage all your network security and PCI compliance information for your business, which you could not have with multiple vendors.
2. Easier remediation process for external scans: Everything within our scope we will address and fix. Items outside of our scope are the responsibility of the client to fix, however, our team provides detailed guidance on how to accomplish that. There is no confusion as to what needs to be done between vendors and we are able to make it a faster and simpler process.
3. We have obtained difficult certifications that require a lot of effort and a high level expertise. They do not give these certifications out for free or just to anyone. So there is no way we, as a company, would be able to get and maintain these certifications if we did not follow the proper security protocols and network security best practices.
There are a lot of things that can be monitoring in firewall logs like network traffic, websites visited and rouge access points. We alert for things like multiple failed login attempts, random access points that may be attempting access to your network and other suspicious activity. We monitor that and alert you when we see anything suspicious. Firewall logs are retained for 12 months per the PCI DSS.
SecureConnect provides a logging dashboard for all customers that can be viewed in their mySecureConnect portal. The dashboard offers the most common log searches. There is also a logging page that gives a full and detailed list of all logs. This allows customers to monitor their logs on a daily basis which helps them comply with PCI requirement #10.
The owner is ultimately held responsible for everything related to PCI Compliance. The POS vendor is only responsible for being PA-DSS (Payment Application Data Security Standards) compliant, which the POS vendor needs to ensure that they have followed all of the proper requirements that they are held accountable for to confirm that your POS is compliant. However, the POS is only a small part of the whole business operations that need to be within compliance.
You have the ability, as a merchant, to collect the full cardholder number for paper transactions, but you need to store them in a locked and secure location. Any documentation with credit card numbers on them should be treated with the same respect as cash. You also need to have a set plan to securely and properly destroy the documentation with the cardholder numbers (i.e., shred or incinerate).
Whether you are using a standalone terminal or a POS terminal with an integrated swipe, you will need to follow PCI compliance requirements. The threat is greater for the integrated POS because there are more ways and more things that can attack the system, however, both are still vulnerable to hackers. That is why we recommend leveraging security tools like device logging and file integrity monitoring to be sure they are secure.
On the SAQ, you should not say you are compliant with something if you are not actually compliant. In this type of situation you can indicate that you have compensating controls as part of your response. When you cannot meet a requirement as it is stated in your business’s current state, you should document the steps you are taking in order to become compliant. That shows your credit card processor/acquirer that you are taking steps to secure your business. If you are struggling to get a response from a vendor, you should try to drive action from a different angle. Possibly contact the corporate office, sales representative or someone who was originally involved in the purchasing of the services or equipment.
Our breach protection insurance is an added benefit of our managed security services. This insurance covers merchants from the costs associated with a breach or suspected breach up to $100,000. Due to their larger size and scope, a Franchisor will need to go to an insurance agency and set up a special breach protection insurance policy to cover their specific needs. Breach insurance isn’t required, but is certainly a way to ensure you are financially protected in a breach scenario.
As a part of our services we offer one-on-one assistance with your Self-Assessment Questionnaire. You will be able to talk with our PCI specialist who will walk you through all the requirements and help you to better understand and fill out your SAQ. Through our online portal, customers have the ability to create, modify, save and ultimately submit their SAQ each year.
