2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave

8/3/2019 2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave

1/25

Payment SecurityPractices andTrends Report

2011MERCHANT PRACTICES, TRENDS,AND BENCHMARKS


2/25

2Payment Security Practices and Trends Report 2011 2011 CyberSource, a Visa company. All rights reserved.

EXECUTIVE SUMMARY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

PAYMENT SECURITY OWNERSHIP AND DRIVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

PAYMENT SECURITY MANAGEMENT PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

PAYMENT SECURITY OPERATIONS: Stang & Compliance Management . . . . . . . . . . . . . . 12

PAYMENT SECURITY COSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

PAYMENT SECURITY MANAGEMENT TRENDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

REPORT AND SURVEY METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

RESOURCES AND SOLUTIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

ABOUT CYBERSOURCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

ABOUT TRUSTWAVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Table o Contents


3/25


For most organizations, managing payment security eciently and eectively continues to be a challenge. To help businesses

understand management trends and practices among their peer group, CyberSource and Trustwave, in partnership with the

Merchant Risk Council (MRC), commissioned the Payment Security Practices and Trends Survey. This report summarizes the

surveys ndings and provides insights and industry benchmarks as well as emerging industry trends.

1 PCI DSS Security Standards Council; https://www.pcisecuritystandards.org/

Executive Summary

OverviewPayment security entails managing and securing payment

data across an organizations ull order liecycle, rom the

point o payment acceptance, through raud management,

ulllment, customer service, unding and nancial

reconciliation, and transaction record storage. The presence

o payment data at any o these points, whether on

organization systems, networks or visible to sta, exposes the

organization to risk.

To combat this risk, the Payment Card Industry Data

Security Standard (PCI DSS1) was created to help

organizations protect their customers payment accountinormation by providing increased controls around payment

data and its exposure to compromise. As part o adhering to

PCI DSS standards, all organizations that process payment

data must perorm an internal or external audit, and a

network scan.

Ultimately, however, the ecacy o an organizations

payment security management operation comes down to

the approaches and practices applied to securing data in

three core areas:

Capture and Transmission (Data in motion): Practices

related to securing payment data as it is captured and

transmitted by multiple sales systems, sales sta andcustomer service representatives throughout the order

liecycle.

Storage (Data at rest): Practices related to securing

payment data as it is stored in multiple databases and

desktop applications, written on slips o paper by call

center sta, and even on tape i customer service calls

are recorded.

Back-ofce Tasks: Practices related to securing

payment data used by sta during the perormance

o multiple back-oce tasks, including raud

management, chargeback management and payment

reconciliation.

The structure o this report examines responding

organizations practices and trends in each o these areas,

with the goal o understanding payment security investment

drivers, organization structure, and the resulting relative costs

o these practices.

Report HighlightsA ew highlights ound in the survey and discussed in this

report include:

Brand Protection is Key Driver o Investment: The need

to protect the organizations brand and its revenues

was given as the primary driver or investment in

payment security.

Threat rom External and Internal Sources Perceived as

Equal: While the successes o external hackers oten

make headlines, employees can be an equally damaging

source o risk. The survey ound that organizations

perceive the threats rom internal and external sources

as being nearly equal.

Trend Towards Remote Data Storage: With the need to

secure payment data and eciently comply with PCI DSS,

organizations are planning to shit their payment data

security approach rom an on-site strategy to a remote

one. Those organizations that had already made the shit

reported shorter time-to-compliance and ewer ull-time

equivalent employees managing payment security.

Payment Security Cost and Complexity Expected to

Increase: Most survey respondents expect that the

technological complexity, cost, and resources required

to manage payment security will increase over the next

24 months.


4/25


OwnershipThere are our departments within organizations that are

typically responsible or payment security. They include:

IT, Finance, Legal or Compliance, and Operations. In the

majority o organizations participating in the survey, paymentsecurity was managed by one o two groups: IT or Finance.

For over hal o all organizations (57%), the IT department

maintains payment security ownership (see Chart 1).

Note: The PCI DSS Security Standards Council denes

our merchant or organizational levels2, based on annual

transactional card volume processed. For this report, survey

results were segmented into two groups:

Level 1: organizations processing over 6 million global

payment card transactions annually

Level 24: organizations processing ewer than 6 million

global payment card transactions annuallyToday, IT departments are most likely to have responsibility

or payment security in both large and small organizations.

However, the organizations number o annual t ransactions

does matter: Finance tends to retain greater payment

security ownership within Level 24 organizations. In act,

nearly a third (30%) o Level 24 organizations payment

security is managed by Finance, compared to just 12% in

Level 1 organizations. Further breakdowns by organization

levels are shown in Chart 2 and Chart 3.

Payment Security Ownership and Drivers

2 PCI DSS Security Standards Council; https://www.pcisecuritystandards.org/


5/25



Ownership varies by industry. Although respondents reported

IT ownership in well over hal o the organizations, in

each industry sector surveyed, there were several notable

exceptions. Finance is more commonly responsible or

payment security in both educational (80%) and government

(50%) services organizations (see Chart 4).


6/25



Drivers o Payment Security InvestmentRegardless o ownership within an organization, a primary

driver or investment in payment security is the protection

o the brand or revenue (selected by 69% o respondents),

rather than avoiding bank nes or non-compliance (seeChart 5). One o the largest investments an organization can

make is in the development and ongoing protection o its

brand. Security breaches can signicantly tarnish the brand

image and aect long-term revenues.

Motivation or investing in payment security also varied by

department. Both IT and Finance departments security

investments were mainly driven by brand and revenue

protection (or approximately 70% o respondents).

However, in the instances where Legal departments owned

the practice, the driver was more oten to avoid nes.

Dierent motivators or each group are likely due to the

inherent corporate responsibility. For instance, IT needs to

maintain an overall security perimeter to keep hackers rom

inltrating the inrastructure and harming the brand; Finance

seeks to ensure that all nancial aspects remain ecient

and that revenue continues to be generated and properly

recognized; Legal wants to ensure legal obligations are met

and remain in accordance with state and ederal laws.

Breach Impact on Organizations

Motivators are likely related to the real impact a breachcan have on an organizations brand, revenue and value.

Consider the ollowing:

Tarnished Brand

In the U.S., most states mandate that any organization

suering a breach must disclose it to the impacted

individuals3. The media attention generated by a publicly

disclosed breach can have a signicant impact on the

organizations brand reputation as well as on revenues.

Statistically, in the rst year o an occurence, more than 50%

o the stories written about an organization are devoted to

coverage o the breach4.

Customer Loss

Customers aected by a security breach are likely to lose

condence and change their uture buying behavior.

For instance, 55% o victims will have less trust in the

organization, and approximately 30% will discontinue buying

rom that company in the uture5.

Stock Valuation

Organizations can lose rom 0.63% to 2.10% in stock price

value when a security breach is reported. This equates to

an average market capitalization loss o $860M to $1.65B

per incident6.

3 National Conerence o State Legislatures; http://www.ncsl.org/deault.aspx?tabid=13489

4 Factiva; September 2006; Source: http://www.continuitycentral.com/news02793.htm

5 Javelin Strategy and Research; June 2008; Source: http://www.tawpi.org/uploadDocs/Data_Breach_survey.pd

6 CMO Council; September 22, 2006; Secure the Trust o Your Brand


7/25



Sources o Payment Security RiskAlthough security breaches by external hackers garner

much public attention, threats that originate rom within

the organization can be equally damaging. Within an

organization, payment data is exposed and at risk at manypoints in the order management process, rom sales to the

back-oce.

When asked about the risk o payment data being stolen by

employees versus external hackers, organizations reported

that the payment security threat was perceived as nearly

equal (see Chart 6).

The risk o breach rom employees was perceived slightly

higher (38%) in Level 1 organizations versus Level 24

(35%). This dierence may be related to the challenge o

monitoring a larger sta, in addition to the relative anonymity

that exists in a larger company.


8/25


Typically, organizations adopt either an on-site or remote

payment security strategy, or have a hybrid approach as they

transition rom one to the other.

With an on-site strategy, payment data is secured in-house

and on the organizations own network and systems, using

encryption and similar technologies. The ocus o this

strategy is to lock the payment data down to eliminate the

security risk.

In contrast, some organizations adopt a hosted or remote

strategy, where payment data is captured, transmitted, and

stored by a PCI DSS-certied payment service provider,

which then returns secure tokenized payment inormation

back to the organization. This strategy ocuses on eliminating

payment data rom the environment, rom capture through

storage, versus securing it within the environment.

The ollowing sections examine the use o on-site and remote

approaches as they relate to organizational practices during

capture and transmission, data storage and perormance o

back-oce tasks.

Data Capture and TransmissionThe survey asked respondents to report on the approach

being used to secure payment data during capture and

transmission across their various sales channels. Chart 7

shows organizational use o a remote strategy is currently

highest in the call center channel, with point o sale (POS)

close behind. Most organizations reported using primarily an

on-site strategy in the online channel.

Level 24 organizations are more likely than Level 1

organizations to use remote capture strategies in online and

call center channels (see Chart 8).

Level 24 organizations typically have smaller, less complex

inrastructures than Level 1 organizations, and thereore are

less likely to invest heavily in solutions that require on-site

maintenance and IT expertise.

Rather than build a proprietary solution in-house, thesecompanies tend to deploy third-party solutions that host

the payment data elds, providing secure capture and

transmission o the payment data so it never enters the

organizations network.

In addition, the initial deployment o PCI DSS requirements

was ocused primarily on Level 1 organizations. Remote

strategies were not readily available at that time. The Level

1 organization oten invested in on-site strategies to meet

the initial requirements, perhaps delaying their migration to

remote strategies today.

Payment Security Management Practices


9/25



Over hal o the organizations surveyed report that their call

center sta has visibility to raw payment data. Similarly, o

those that have ace-to-ace sales sta, 40% report payment

data remains visible to sta.

However, when segmenting by organization level, Chart 9

shows that Level 1 are less exposed to raw payment data

during customer interactions than Level 24 organizations. In

addition, 45% o smaller companies with call center sta are

exposed to ull account inormation.

Create a more secure payment environment by minimizing sta interaction with raw payment data. While exchange

o payment data is necessary or call centers and customer-acing sta during the order process, payment inormation

can be handled using a hosted payment acceptance solution that bypasses your environment (reducing PCI DSS

scope), or via a separate payment interaction solution such as IVR (interactive voice response) and DTMF (dual-tone

multi-requency) that is hosted outside your environment, connecting customers directly with payment service providers.

BEST PRACTICE


10/25



Securing Payment Data StorageAccording to the PCI DSS, those that employ on-site storage

strategies must store the account inormation in a tokenized,

encrypted or otherwise unreadable ormat.

Today, 57% surveyed report storing their payment dataon-site using either encryption or tokenization as a security

measure. Another 43% o organizations reported employing a

remote storage strategy (see Chart 10).

Level 24 are more likely to use a remote storage strategy

than larger (Level 1) organizations, which currently tend

to store the data on their own networks. The survey ound

that 43% o Level 24 organizations and 38% o Level 1

organizations use a remote strategy (see Chart 11).

For many companies, payment data is decentralizedused

by several dierent departments and systems, and housed in

multiple databases across the organization. With payment data

spread throughout, payment security can become complex.

To simpliy payment security management, some are

centralizing their payment systems inrastructure, where

sales systems and access to payment processors are tied

to a central management, reporting, and administration

inrastructure across all sales channels. Over two-thirds o

the survey respondents reported employing a centralized

platorm. Another 15% reported they would be centralizing in

the next two years. However, 9% o organizations still reported

employing decentralized systems with no plans to change.

To better manage payment data and reduce the impact o a breach, centralize your payment data and substitute

primary account numbers (PAN) with payment tokens generated by a PCI-DSS certifed service provider. Centralizedplatorms enable reduced costs and complexity o managing security across multiple sales channels, allowing

operation with ewer sta and reduces, and reduces points o vulnerability. Tokenization enables elimination o

data rom your environment, making it unavailable to sta or hackers, yet still transact billing and returns as you

normally do.

BEST PRACTICE


11/25



Back-ofce Payment Data ExposureBack-oce sta is also exposed to payment data during

tasks such as manual review, chargeback management,

account updating or billing/account-on-le, and related

reconciliation tasks. Accounting and raud review sta werereported as having the most exposure to raw payment data.

Nearly a third (32%) o Level 1 organizations surveyed have

raw data visible to raud review sta, compared with 24% o

Level 24 organizations (see Chart 12).

Reduce sta exposure to payment data by populating customer records with a payment token. Raw payment data is

no longer required as tokens can be ormatted to include identiying inormation without exposing payment data. In

instances when personal data visibility and automated account data updating is required, outsource the operation to

a qualifed third-party.

BEST PRACTICE


12/25


Payment Security StafngNearly all organizations reported requiring the equivalent o at

least one ull-time sta member to manage payment security

operations. Overall, organizations using a remote strategy

employed ewer ull-time equivalent (FTE) payment securitysta in comparison to those using an on-site strategy.

Level 1 average 2.4 FTE sta while Level 24 organizations

average slightly ewer, at 1.9. In addition, more Level 24

(68%) reported having ewer than three FTE sta than Level 1

(64%); possibly because larger organizations require more

resources due to scope (see Chart 13).

Compliance and CertifcationCompleting PCI DSS validation in a timely manner is

important to uncover any potential security issues, avoid

nes, retain the ability to accept credit card payments, and

reduce overall cost and overhead. The cost o PCI DSS

validation is a direct unction o the time required to complete

the process.

Chart 14 compares the number o weeks required to

complete PCI DSS certication using remote and on-sitestrategies. Nearly all organizations (87%) with remote storage

strategies were able to complete certication in less than 20

weeks. In contrast, 79% o on-site storage organizations were

able to complete certication in the same time period.

The dierence in number o weeks to complete PCI DSS

validation by payment security approach is likely due to the

number o systems and points o contact that are seen as

being in scope, and thereore requiring an audit or scan.

Organizations with an on-site approach are likely to have

more systems, devices, and processes in-scope than thoseadopting a remote approach.

Payment Security Operations: Stang & Compliance Management

To reduce the time and resource investment required

to validate PCI DSS compliance, seek to reduce the

scope o the overall audit by reducing the number

o systems that must be included in the audit.

Removing payment data rom your environment and

lowering instances in which sta interact with the

data will contribute to a reduction in scope or PCIDSS requirements 1, 3, 4, and 9 (or defnitions o

all 12 requirements, see the Glossary).

BEST PRACTICE


13/25

Payment Security Operations


PCI DSS Requirement 6.6 Compliance

Security o Public-acing Web Applications

Compliance with PCI DSS requirement 6.6 (see Glossary

or denition) has been o particular interest since its

introduction in 2008. This requirement provides options

intended to ensure that public-acing web applications are

protected rom common threats to cardholder data.

The rst option, application protocol testing, can oten be

onerous or a business to undertake, sometimes requiring

specialized personnel to be hired. Organizations using this

option likely use application penetration testing by external

validation.

The second option is to adopt a web application rewall

approach that, similar to the rst option, requires hiring and

training o the proper sta.

Survey results displayed in Chart 15 show that 59% use bothapplication protocol testing and web application rewalls to

meet the PCI 6.6 requirement. It is by ar the most popular

method, with the application protocol testing only option a

distant second at 12%.

Other categories included outsourcing, external scans, patch

management, code audits, HIDS (host intrusion detection

system) and NIDS (network intrusion detection system).

Extended ValidationAn Extended Validation (EV) secure sockets layer (SSL)

certication provides a more stringent validation process

than the typical SSL certication, assuring customers that

their data is sae with the seller during the purchase process.Certicates protect an organizations transactions with its

customers by encrypting sensitive data during transmission

rom customer to seller, including payment card numbers.

See Figure 1 or an example o EV SSL certication

representation.

Figure 1: EV SSL-Certied Website

O the 30% o organizations that use EV SSL, most reported

using the approach to increase consumer shoppingcondence (63%). In addition, Chart 16 shows that slightly

more Level 24 organizations (68%) adopted EV SSL than

Level 1 organizations (63%).

No single point solution can provide complete security

and PCI DSS validation. Ensure the highest level o

payment security and compliance status by deploying

multiple security controls, which also address

compliance with the PCI DSS 6.6 requirement.

BEST PRACTICE


14/25


The cost o managing payment security varies by

organization, organization level, and perceived importance o

security within each environment. Understanding the impact

o a payment security approach to overall payment security

management costs requires an analysis o inrastructure and

technology costs, as well as cost o personnel.

Inrastructure and Technology CostsOrganizations were asked about their annual spend on

inrastructure and services in 2010, excluding sta. These

costs include services (remote tokenization and storage,

compliance auditing, etc.), encryption products/licenses

(encryption generating sotware, encryption key storage,

etc.), and systems (storage, databases, etc.) associated with

management.

Overall, Level 1 organizations adopting an on-site strategy

spent more on inrastructure and services (Chart 17) than

those using a remote strategy (Chart 18). As a comparison,

60% o those with an on-site approach spent under $0.5M as

opposed to 75% o those with a remote strategy.

Level 24 organizations spend on payment security

management was the same regardless o whether an on-site

or remote approach was utilized.

Payment Security Costs


15/25

Payment Security Costs


Personnel CostsUsing reported FTE and industry data or personnel costs

(includes salary, benets, training expenses, and related

personnel management costs), estimates o personnel costs

were derived or each strategy and organizational level.Level 1 with an on-site strategy, on average, spend nearly

$1.7M annually on personnel costs compared to those using

a remote strategy, which spend approximately $1.1M

a dierence o nearly $0.6M per year (see Chart 19).

Level 24 with an on-site strategy spend, on average, a little

over $1.5M versus those using a remote strategy that spend

$1M annuallya dierence o nearly $0.5M (see Chart 19).

Total Payment Security CostsBy combining reported inrastructure costs and calculated

personnel costs, the impact o payment security practices on

the total cost o management can be assessed (see Chart 20).

According to the data compiled in this survey, Level 1

organizations using an on-site strategy will spend, on average,

nearly 75% more per year on payment security than those

organizations using a remote strategy. The same trend holds

or Level 24 organizations, albeit on a smaller scale. Level

24 organizations adopting an on-site approach spend $0.3M

more annually on payment security versus those adopting a

remote approach.


16/25


Trends in Data Capture PracticesSurvey results indicate that more organizations will be

capturing payment data remotely over the next 24 months

across all sales channels (online, call center, and POS), or

both Level 1 and Level 24. The results are shown in Chart21 and Chart 22. The largest increases are in Level 24,

where online adoption jumps rom 38% to 48% and POS

rom 21% to 32%.

The trend to reduce the exposure to raw payment data can

be attributed to two primary actors. First, moving payment

data out o the environment reduces PCI DSS scope. Second,

rendering raw payment data inaccessible to internal sources

reduces the risk o payment data being stolen by employees.

Both Level 1 and Level 24 organizations expect to reduce

sta access to raw data in call center and ace-to-ace

environments over the next 24 months, with Level 1 doing so

at a higher rate than Level 2 4 (see Chart 23 and Chart 24).

Payment Security Management Trends


17/25



Trends in Data Storage PracticesMore organizations are considering a move to storing payment

data remotely with a PCI DSS-certied service provider (versus

on-site.) Hal o the organizations surveyed indicated shiting to

a remote strategy over the next two years (see Chart 25).The shit to remote storage may be due to the desire to reduce

the risk and impact o a security breach on the organizations

brand. When analyzing results by organization level, both Level

1 and Level 24 organizations see similar gains in remote

strategy adoption.


18/25



Trends in Back-ofce PracticesOrganizations expect visibility o payment data in the back-

oce to decline over the next two years. However, Level 1

organizations still expect to operate with higher levels o

payment data visibility than their Level 24 counterparts,see Chart 26.


19/25



Complexity, Cost, Time & ResourcesOrganizations were queried about their expectations

regarding the cost and complexity o managing payment

security in the uture. Overall, over hal o the organizations

said cost, complexity and resource requirements wouldincrease (see Chart 27).


20/25


Conclusion

Despite the expectation that cost, resource requirements,

and technical complexity will increase over the next 24

months, managers continue to seek ways to boost eciency

in each area. And the reason is clearinadequate protection

o customer payment data can have a detrimental eect on

the organizations business. The payment data managementstrategy deployed must help reduce complexity, resource

dependency, and costs while increasing ecacy and

reducing PCI DSS scope.

Survey results indicate a general trend or many organizations

to move towards a remote payment security strategy. While an

on-site strategy is currently preerred by larger organizations,

organizations using this strategy also report higher investments

in systems and devices, a higher level o stang, and longer

time rames to validate compliance. Organizations using

remote strategies report lower expenses in these areas and the

ability to achieve PCI DSS validation in a shorter time rame.


21/25


The CyberSource and Trustwave Payment Security

Practices and Trends Report, developed in association with

the Merchant Risk Council (MRC), is based on a survey

o organizations residing and trading in North America.

Organizations that participated in this survey oered products

or services to customers spanning the government, education,non-prot, business and consumer sectors. Most respondents

were either ultimately responsible or, or had signicant

infuence on, policy and security management decisions.

The survey was conducted via online questionnaire by handl

Consulting and completed by 117 participants between

December 6, 2010 and January 31, 2011.

Report and Survey Methodology


22/25


CyberSourceCyberSource payment security solutions include Payment

Tokenization, Hosted Payment Acceptance, and Automated

Account Updater.

Eliminate Capture and Transmission Risk: UsingCyberSources Hosted Payment Acceptance service, you

can accept and process payment data without the data

ever touching your network.

Eliminate Payment Data Storage Risk: Payment

tokenization gives you the ability to secure your payment

data in CyberSources PCI DSS-certied datacenters,

removing the use o raw payment data rom your

network by exchanging that data or a payment token,

useless to hackers and devious employees.

Reduce Back-ofce Risk: Format-preserving tokens

make it easy or customer service and back-oce sta

to perorm tasks without exposure to payment data.Automated account updater services automatically

update billing and account-on-le records, reducing the

need or sta to interact with customer payment data

during updates or billing ailures.

CyberSource Payment Management Solutions

Global Payment ServicesSell anywhere in the world by

accepting the payment types preerred in local markets.

Transact in over 190 countries and und in 21 currencies.

Worldwide and country bank cards, PIN-less debit, debit

cards, bank transers, direct debits, Bill Me Later, PayPal,

subscription/recurring billing, real-time global tax calculation,

and dynamic currency conversion.

Fraud ManagementClose your threat window while keeping

good customers happy. When aced with multiple ongoing

and changing raud threats, the ability to quickly detect and

deter these attacks without impacting your customers has

a direct bearing on your bottom line. CyberSource Decision

Manager provides automated raud screening, rule console,

case management system and analytics.

TrustwaveTrustwave is a global provider o payment security and PCI

DSS compliance solutions.

Payment Security:

Trustwaves End-to-End Encryption and Tokenization

solutions protect payment card data in motion and while

stored to simpliy security inrastructure and reduce the

scope o PCI compliance.

PCI DSS Compliance:

Trustwave oers unmatched resources and experience

in guiding customers through the process o PCI DSS

compliance, rom initial scheduling o your review to nal

preparation o documentation. As the global leader in PCI

DSS compliance solutions and services, Trustwave oers

comprehensive compliance programs or acquiring banks

and ISOs, payment service providers, POS providers, andmerchants o all sizes.

Comprehensive Data Security:

Trustwave oers a robust portolio o best-in-class data

security products, including:

Award-winning,patentedtechnology,including

encryption, data lost prevention, network access control,

application security, security inormation and event

management

Managedsecurityservicestoreducethemanagement

burden o a comprehensive data security program

Industry-leadingsecurityresearchandexpertisefrom

Trustwaves SpiderLabs

Resources and Solutions


23/25



Additional Sources Stockprices,Yahoo!Finance,www.nance.yahoo.com

ComputerWorld,OneYearLater:FiveTakeawaysFrom

the TJX Breach. January 17, 2008. Vijayan, Jaikumar

CyberSource,EnterprisePaymentSecurity2.0.2011.

Glaser, David

CyberSource,AManagersGuidetoComparingthe

Cost o Payment Security Strategies. 2010. Anderson,

Lisa, and Huang, Yu-Ting

CyberSource,CyberSourceEnterprisePaymentSecurity

Solutions. 2009

Trustwave,PaymentCardTrendsandRisksforSmall

Merchants: A Supplement to Trustwaves 2011 Global

Security Report. 2011.

Trustwave,2011GlobalSecurityReport.2011.


24/25



Glossary o Terms On-site strategy: Payment data is managed and secured

during capture, transmission, and storage using your

own sta, systems and inrastructure that could be

owned, leased, or licensed by your company. Remote strategy: One or more service providers manage

payment data security on your behal. This could include

technologies such as hosted payment tokenization or

end-point encryption with remote data storage, and

hosted payment acceptance where the cardholder data

is captured directly by the payment network via a hosted

order page or interactive voice response system.

Payment data: Data that acilitates the payment

transaction process. Includes credit or debit card

numbers, name, address, and telephone number.

Organization Level, as dened by the PCI Security

Standards Council

Level 1: Merchants processing over 6 million

transactions annually across all channels.

Level 2 - 4: Merchants processing less than 6 million

transactions annually across all channels.

Tokenization: Replacement o sensitive data with

a unique identier that cannot be mathematically

reversed.

Glossary o Terms Encryption: Conversion o data into a orm that cannot be

easily understood by unauthorized personnel. Requires

a key to decode the data.

Hosted Payment Acceptance: A PCI DSS-certied thirdparty hosts the payment data elds displayed on your

website, then captures, transmits, and stores that data

outside your network.

Payment Service Provider: Entity that oers organizations

online services or accepting electronic payments

through a variety o payment methods including credit

card, bank-based payments, and online banking.

PCI DSS Requirement 6.6: For public-acing web

applications, address new threats and vulnerabilities

on an ongoing basis and ensure these applications

are protected against known attacks by either o the

ollowing methods:

Reviewing public-acing web applications via manual

or automated application vulnerability security

assessment tools or methods, at least manually and

ater any changes

Installing a web-application rewall in ront o public-

acing web applications

PCI DSS Requirements: See Chart 31


25/25

CyberSource North America

CyberSource Corporation HQ

Phone: 650.965.6000

Fax: 650.625.9145

Email: [email protected]

CyberSource Europe

CyberSource Ltd

Phone: +44 (0) 118 929 4840Fax: +44 (0) 870 460 1931


CyberSource Japan

CyberSource KK (Japan)

Phone: +81-3-5774-7733

Fax: +81-3-5774-7732


CyberSource Asia Pacifc

CYBS Singapore Pte Ltd

T: +65 6499 2000

F: +65 6437 5879


Trustwave North America

Trustwave Corporate HQ

70 West Madison Street, Suite 1050

Chicago, IL 60602

Phone: 312.873.7500

Fax: 312.443.8028


Trustwave European Headquarters

Westminster Tower

8th foor

3 Albert Embankment

LondonSE1 7SP

Phone: +44 (0) 845 456 9611

Fax: +44 (0) 845 456 9612

[email protected]

Trustwave Asia-Pacifc Headquarters

Level 26

44 Market Street

Sydney NSW 2000

Australia

Phone: +61 2 9089 8870

Fax: +61 2 9089 8989

Trustwave Latin America Headquarters

Rua Cincinato Braga, 340 n 71

Edicio Delta Plaza

Bairro Bela Vista

So Paulo SP

CEP: 01333-010

BRASIL

Phone: +55 (11) 4064-6101

About CyberSourceCyberSource, a wholly-owned subsidiary o Visa Inc.,

is a payment management company. Over 330,000

businesses worldwide use CyberSource and Authorize.Net

brand solutions to process online payments, streamline

raud management, and simpliy payment security. The

company is headquartered in Mountain View, Caliornia with

international oces in Reading, U.K.; Singapore; Tokyo;

and Middle East. CyberSource operates in Europe under

agreement with Visa Europe. For more inormation, please

visit www.cybersource.com or email [email protected].

For More Inormation

Call1.888.330.2300

[email protected]

Visitwww.cybersource.com

About TrustwaveTrustwave is a global provider o on-demand and

subscription-based inormation security and payment card

industry compliance management solutions to businesses

and government entities throughout the world. For

organizations aced with todays challenging data security

and compliance environment, Trustwave provides a unique

approach with comprehensive solutions that include its

fagship TrustKeeper compliance management sotware and

other proprietary security solutions including SIEM, EV SSL

certicates and solutions including WAF, NAC, SIEM and EV

SSL certicates. Trustwave is headquartered in Chicago with

oces throughout North America, South America, Europe,

Arica, Asia and Australia. For more inormation, visit https://

www.trustwave.com.

For More Inormation

Call1.888.878.7817

[email protected]

Visitwww.trustwave.com

Documents

2011 PaymentSecurityPracticesTrendsReport CyberSource Trustwave