PCI Compliance Explained And Why It Should Matter To Your Business

1. Presents: PCI Compliance Explained and Why it Should Matter to Your Business Presented by: John Bedrick, AccuCode Topic Here

2. Agenda About AccuCode Industries that need to be PCI Compliant and Does PCI DSS Apply to My Business? Data Breach News and Who is at risk? What is being stolen (at risk) and What is being attacked? What the Payment Card Industry (PCI) Data Security Standards (DSS) are and how they came to be Merchant Levels and how that applies to your business (validation requirements) PCI DSS Requirements Benefits to being PCI Compliant and the consequences of being non-compliant to the PCI DSS Definition of a compromise AO:Compliance™ and Next steps on the road to becoming PCI Compliant Questions and Answers

4. VAR, Professional & Managed Services, Commercial Software Products

5. National leader in application of retail systems, security & compliance, wireless networking, mobile computing, bar code & RFID technologies

6. Fastest Growing Privately Held Company in the U.S.

8. Industries, Data and Systems Impacted By PCI DSS

9. Industries Affected by PCI DSS

10. Data Breach News Clips Breach News Breach News Breach News Breach News Breach News Breach News Breach News Breach News 1/26/2011 - Hamilton Beach Brands –Hacker code was discovered on servers that host hamiltonbeach.com & proctorsilex.com. The servers were breached on January 5th, 2011. Customer names, credit card data, addresses, telephone #s & emails were captured. 3/17/ 2008- Hannaford Bros. Supermarket chain –The company is currently aware of about 1,800+ cases of reported fraud related to the security breach. 4.2+Million credit & debit card #s were stolen. Albert Segvec Gonzalez (1 of the hackers) was also involved in the TJX data breach. 1/17/2007– TJX Companies – Unauthorized intrusions into computer systems that process & store customer transactions including: credit card, debit card, check & merchandise return transactions. Data from 2003 - December 2006 may have been accessed. 2/24/2011 - Snow Creek Ski Resort –A hacker was able to obtain payment card information around Friday February 18th. Information from electronic card transactions that were performed on-site were exposed. 3/10/2011 - Se San Diego Hotel –Malicious software was uploaded to the Hotel's computer system sometime around September of 2010. Customer credit card information was obtained and sold to a group of seven people who used the information to make fraudulent charges. 3/15/2011 - Nation's Giant Hamburgers – Over 200 cases of identity theft were traced to Nation's Giant Hamburgers in Vacaville, CA. The cause of the breach was said to be a problem with the credit card machines in the store. 3/15/2011 - Health Net Inc. – Nine servers containing sensitive health information went missing from Health Net's data center. The servers contained personal and financial data of 1.9 million current and former policyholders. 3/28/2011 - Major Boston Restaurant Group That Failed to Secure Personal Data to Pay $110,000 Under Settlement – Penalty Paid In Connection With 2009 Data Breach At Restaurants That Include Ned Devine’s, The Green Briar, The Harp, And Others.

11. Industries Breached Statistics Source: Trustwave - 2011 Global Security Report

12. Types of Data at Risk Source: Trustwave - 2011 Global Security Report

13. Types of Target Assets Source: Trustwave - 2011 Global Security Report

15. Via telephone (card absent*)

16. Online / Web / Internet – eCommerce (card absent*)

17. Via Facsimile/Fax (card absent*)Regardless of the size of your business or the volume of transactions you do each year While checks are not covered under PCI DSS they may be covered under state privacy laws * = Commonly referred to as “Card Not Present”

18. What is the Payment Card Industry (PCI), how it came to be and what is cardholder data?

21. Payment Application Data Security Standard (PA-DSS)

22. PIN Transaction Security (PTS) Requirements

23. QSA/PTS Lab education, certification, and quality assurance

24. Final validation and listing maintenance for PA-DSS validated applications Led by Executive Committee composed of representatives from the card brands Board of Advisors offers guidance on the evolution of the PCI DSS

25. Role of the PCI SSC Improve payment account security throughout the transaction process by way of the PCI DSS Manage the evolution of security standards The PCI SSC is NOT responsible for enforcing compliance. Payment card brands and acquiring banks enforce PCI compliance.

27. Expiration date

28. Name

29. Address

31. Verifies possession and number legitimacy

32. Storage not permitted after authorizationMasterCard: CVC2-Card Validation Code Visa: CVV2-Card Verification Value Discover: Card member ID American Express: Card Identification Number CVV2/CVC2 CID

33. PCI Data Security Standard (DSS)Goals, Requirements and Common PCI Compliance Failures

34. PCI DSS Requirements

35. Compliance to the PCI DSS - Requirements 98.4% 97.5% 99.2% 95.1% 92.6% 90.9% 83.6% 74.6% 68.9% 48.4% 8.1% 7.4% Source: Trustwave - 2011 Global Security Report

36. Merchant levels and How it Applies to Your Business (Validation requirements)

37. The Mandate: Merchant Levels DefinedVisa, MasterCard, Discover, & JCB *Any merchant can be assigned to a specific level by their acquirer, bank, or by a card brand.

38. The Mandate: Merchant Levels DefinedAmerican Express (AMEX) *Any merchant can be assigned to a specific level by their acquirer, bank, or AMEX. **Compliance at this level is strongly suggested, but not mandated.

39. Benefits of Compliance andConsequences of Non-Compliance

42. Increases consumer confidence

44. Improves security policies

46. Fraud chargebacks

47. Business shutdown

49. Notification

50. Civil litigationIndividual criminal prosecution

52. Expiration Dates

53. CVV2/CVC2/CID

54. Track Data

56. AO:Compliance™ and Next Steps

57. AO:Compliance Makes PCI Compliance as Easy as: