Don't Handle Sensitive Data. Create A Tokenization Layer Around Your Enterprise.
1. Create a Tokenization Layer Around Your Enterprise
– Don’t Handle Sensitive Data
Length: 60 minutes
Presenter: Stewart Comrie
Integrated and Secure Payment Processing
2. SPEAKER
STEWART COMRIE
VP STRATEGIC PRODUCTS
PAYMETRIC, INC.
Trusted Solutions. Securely Integrated. 2
3. AGENDA
ABOUT PAYMETRIC
UNDERSTANDING PCI AND THE SAQs
DATA INTERCEPT SOLUTIONS
DISCUSSION ABOUT PCI CHALLENGES
Q&A
3 Trusted Solutions. Securely Integrated.
4. ABOUT PAYMETRIC
Paymetric is the leading provider of integrated and secure payment processing and
tokenization solutions that enable companies to streamline the order-to-cash process,
reduce the scope and financial burden of achieving PCI compliance, and improve return
on electronic payment acceptance.
Founded in 1998
75 Employees
Privately Held – Austin Ventures and
Palomar Portfolio Company
450+ Enterprise Customers
4 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
5. AWARD-WINNING COMPANY
2011 TAG Top 40
TECHNOLOGY COMPANIES IN GEORGIA
Global Excellence
MANAGEMENT TEAM OF THE YEAR
2010 TAG Top 40
MOST INNOVATIVE COMPANIES IN GEORGIA
Global Product Excellence
TOKENIZATION SOLUTION
5 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
6. PAYMETRIC CUSTOMERS
Cross-Market &
Industry
Cross-Geography
6 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
7. What is PCI Compliance?
Category Section
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults for system passwords
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and card data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
“ANY ORGANIZATION THAT STORES, PROCESSES
WHO MUST COMPLY? OR TRANSMITS CREDIT CARD DATA”
Source: www.pcidatasecuritystandards.org
7 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing 10/07/12
8. Merchant Validation Levels & Requirements
VISA / MasterCard Merchant Levels Validation Actions
On-Site Security Self – Assessment
Merchant Level Criteria Network Vulnerability Scans
Assessment Questionnaire
Report on Compliance
Level 1
(ROC)
6+ million transactions annually from any Not Applicable Required Quarterly
(Submitted to Acquirer
acceptance channel with one card brand
Annually)
Level 2
Submitted to Acquirer
1 million to 6 million transactions annually from Not Applicable Required Quarterly
Annually
any acceptance channel with one card brand
Level 3
Submitted to Acquirer
20,000 to 1 million e-commerce transactions Not Applicable Required Quarterly
Annually - Required Annually
annually with one card brand
Level 4
Required Annually
Less than 20,000 e-commerce or less than 1 Not Applicable Required Quarterly (submission
(submission to acquirer
million transactions from any acceptance channel to acquirer not mandatory)
not mandatory)
annually with one card brand
8 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing 10/07/12
9. Fitting PCI DSS and Self-Assessment Together
9 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing 10/07/12
10. 5 SAQ Types
Number
of
SAQ Summary Who is Eligible
Question
s
Card-not-present (e-commerce or mail/telephone-order)
SAQ A Outsource all CHD merchants, all cardholder data functions outsourced. This 13
would never apply to face-to-face merchants.
Imprint or Imprint-only merchants with no electronic cardholder data
SAQ B standalone dial- storage, or standalone, dial-out terminal merchants with 29
out terminals only no electronic cardholder data storage
Merchants using only web-based virtual terminals, no
Virtual terminals
SAQ C-VT electronic cardholder data storage. This would never apply 51
only
to e-commerce merchants or card swipe.
Internet-
connected Merchants with payment application systems connected to
SAQ C 40
payment the Internet, no electronic cardholder data storage
application
All other All other merchants not included in descriptions for SAQ
SAQ D merchants and all types A through C above, and all service providers defined 288
service providers by a payment brand as eligible to complete an SAQ.
10 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing 10/07/12
11. Qualifying for SAQ-A – PCI Self-Assessment Questionnaire |
Qualifying for SAQ-A reduces the number of security requirements from 205 to 14
Criteria That Has to be Met:
Company only handles Card Not Present (CNP) transactions
Company does not store, process or transmit any cardholder data on
premise; relying on third-party providers
Third Party Service Provider is confirmed PCI DSS compliant
Company retains only paper reports or receipts with cardholder data and
said documents are not received electronically
Company does not store any cardholder data in electronic format
**Please consult your acquirer or QSA to confirm that Paymetric’s
Data Intercept solution will help you qualify for PCI SAQ-A.**
11 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing 10/07/12
12. DATA PROTECTION STRATEGY TIMELINE
Elimination
TECHNOLOGY
Tokenization (SaaS)
Centralization
Encryption
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
V1.0 V1.1 V1.2 V1.2.1
PCI DSS
DRIVERS
$138 $182 $197 $202 $204 $214
$4.5M $4.7M $6.3M $6.7M $6.8M $7.4M
COST OF A DATA BREACH
1 38 46
NUMBER OF STATES WITH DATA BREACH NOTIFICATION LAWS
52M 48M 129M 49M 222M
NUMBER OF RECORDS BREACHED
12 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
13. Reducing Effort and Cost of Compliance
Eliminate
Move to a Reduce Burden
Systems from
“Lesser” SAQ on Systems
Scope
Reduced Effort and Cost
13 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing 10/07/12
14. THE FUTURE | Eliminate Handling of Sensitive Data Altogether
M
EN ER
TE CH
RP AN
RI T
LE
GA
SE
YC
Da
ta
In
te
rc
ep El
t im
in
at
eS
ys
te
M m
in sf
Dr im ro
as ize m
tic PC
all PC IA
yR IC ud
14 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing ed os it
uc ts Sc
o
15. DATA INTERCEPT | eCommerce
CLIENT BROWSER
Client Browser
<script> Src=“https://paypage.paymetric.com/dnld.js <Cardholder Data>
Credit card number:
Card Type:
Expiration Date: mm yy CVV:
What’s this?
Cardholder Name:
MERCHANT SYSTEMS
Web Server
15 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
16. DATA INTERCEPT FOR SAP
DATA INTERCEPT
TOKENIZATION
Data Intercept Client is Invoked When CSR Attempts to Enter
SAP Server Makes Immediate Call for Token
Number into SAP Credit Card Field
Enter CC
Number
Card Data TouchesNever Touches in PCI Scope
Card Data SAP Placing it SAP
Removing it From PCI Scope
Card Data is Never Stored, Minimizing Scope of PCI
Requirement 3
16 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
17. DI and PCI Audit Considerations
PCI Audit Process
Data-flows, where is your data?
Determination of scope
Use of tokenization removes SAP/Web App from the dataflow
Assessment focused on data entry systems only
What does that mean from a resource perspective
Eliminate core application used by all employees from scope
What does it mean to be “In Scope”
Audit Logging, Vulnerability Scanning, Patching, Access Controls,
System Hardening, Penetration Testing, Monitoring, File Integrity
Elimination of data/scope allows an organization to focus
resources on critical points of interaction
17 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
18. Benefits of Data Intercept
Seamless process
Reduced risk of a data security breach
Provides logging for PCI Audit Purposes
More tightly control access to data
No Storage of sensitive data
Ease compliance efforts with regulations PCI
Grant your organization safe harbor from new data breach
notification laws
Increased security and brand protection
Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
19. WHY PAYMETRIC?
Performance Over 400 of the world’s most respected brands have leveraged
Paymetric solutions over the past decade.
Expertise Paymetric employees have hundreds of years of combined
experience in the payments industry and ERP landscape.
Credibility Paymetric has been the recipient of many awards recognizing the
accomplishments of the company and our solutions.
Innovation Paymetric is consistently first to market with cutting edge solutions
that help companies grow their business and increase security.
Value On-demand model makes it affordable to experienced the benefits
of integrated payment card processing and tokenization.
Service 24 x 7 support includes incident and problem resolution, access to
publications and best practices and so much more.
19 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing
20. Q
QUESTIONS
?
Stewart Comrie
VP, Product Managment
scomrie@paymetric.com
20 Trusted Solutions. Securely Integrated.
Integrated and Secure Payment Processing