PCI 101. Trustwave Corporate Profile Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of

PCI 101

Trustwave Corporate Profile

Copyright Trustwave 2008 Confidential

2009SC Magazine “Recommended”

Managed Security Services

Forrester 9 out of 10 rating NAC solution

Founded in 1995

Approximately 600 employees in 21 locations on six continents

Chicago is global HQ; London, Sydney and Sao Paolo are regional HQs

Secure Operation Centers in Chicago and Warsaw

Award-winning, patented security technology

2010SC Magazine “Finalist”

Encryption

2009Frost & Sullivan

NAC Best Practices

Thousands of customers throughout the world, including 6 of the Fortune Top 10

Trustwave is an established company serving a global client base with industry-leading solutions


Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series

MSSP with more than 1,400 devices under management

Monitor more than 18 million events per day

Top 10 global Certificate Authority with more than 40,000 SSL certificates issued

Performed more than 2,000 network and application penetration tests

Conducted more than 740 forensic investigations

PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps.

Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)

The leader in compliance and data security


Global Presence

Global HeadquartersChicago, IL

EMEA HeadquartersLondon, UK

LAC HeadquartersSao Paolo, Brazil

APAC HeadquartersSydney, Australia

Toronto, Canada

Bogota’, Columbia

Dallas, TX

Austin,TX

Mexico City, Mexico

Santiago, Chile

Pretoria, South Africa

Dubai, United Arab Emirates

Mumbai, India

Tokyo, Japan

Shanghai, ChinaBeijing, China

Rennes, France

Stockholm, Sweden

Budapest, Hungary

Kiev, Ukraine

Pittsburg, PA

Boston, MA

Denver, CO Warsaw, Poland

Frankfurt, Germany

Annapolis, MD

Belo Horizonte, Brazil

Copyright Trustwave 2008 Confidential 6

Payment Card Acceptance

The Payment Card Industry’s Data Security Standard states:

PCI Data Security Requirements apply to allmembers, merchants, and service providersthat store, process or transmit cardholder data


The Mandate: Visa Merchant Levels Defined

7

Level Merchant Classification Criteria (as of July 18, 2006)

1

Any merchant -regardless of acceptance channel-that:• Processes over 6 million Visa transactions per year• In some cases, merchants who suffered a hack or an attack that

resulted in an account data compromise• Has been identified by any other payment card brand as Level 1

2Any merchant that processes 1 million to 6 million Visa transactions, regardless of acceptance channel

3Any merchant that processes 20,000 to 1 million Visa e-commerce

transactions

4Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel


Validation Actions Depend on Level

Merchant

Level

Validation Actions Validated By Deadline

1

Annual On-site PCI DSS Data Security Assessment

Qualified Security Assessor9/30/04 (Visa’s new level 1 merchants have up to one year from identification to validate)

Quarterly Network Scan

Approved Scanning Vendor

2

Annual PCI DSS Self-Assessment Questionnaire/Annual On-site PCI DSS Data Security Assessment

Merchant/Qualified Security Assessor

6/30/05(Visa’s new level 2 merchants have until 9/30/07)




Validation Actions Depend on Level (cont.)

Merchant

Level

Validation Actions Validated By Deadline

3

Annual PCI DSS Self-Assessment Questionnaire

Merchant

6/30/05



4

Annual PCI DSS Self-Assessment Questionnaire

MerchantValidation requirements and dates are determined by the merchant’s acquirer



PCI DSS Standard Overview


Develop and maintain secure systems and applications

Use and regularly update anti-virus software or programs

Six Goals, Twelve Requirements

Do not use vendor-supplied defaults for system passwords and other security parameters

Install and maintain a firewall configuration to protect cardholder data

Encrypt transmission of cardholder data across open, public networks

Protect stored cardholder data

Restrict access to cardholder data by business need-to-know

Assign a unique ID to each person with computer access

Build and Maintain a Secure Network

Protect cardholde

r data

Maintain a vulnerabilit

y management program

Restrict physical access to cardholder data

Implement strong access control

measures

Regularly test security systems and processes

Track and monitor all access to network resources and cardholder data

Regularly monitor and test networks

Maintain a policy that addresses information security for employees and contractors

Maintain an

information security

policy


Requirement 1: Install and maintain a firewall to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults

Requirement 3: Protect stored data

Requirement 6: Develop and maintain secure systems and applications

Requirement 8: Assign a unique ID to each person with computer access

Requirement 10: Track and monitor access to network and card data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Violations found in incident response investigations in 2009.

Top PCI DSS Violations


Self Assessment Questionnaire (SAQ) 1.2

SAQ Version

Validation Type

Description of Subject Merchant

SAQ 1.2 A13 Questions

1 Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports.

SAQ 1.2 B27 Questions

2 This merchant only accepts payment cards using an imprint machine and does not keep any card data electronically.

SAQ 1.2 B27 Questions

3 Merchants who use stand alone, dial out terminal connected to a phone line or processor. Terminal has NO internet connection and no data is stored electronically.

SAQ 1.2 C41 Questions

4 Payment application is connected to the internet but is not connected to any other system w/in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices.

SAQ 1.2 D222

Questions

5 Any merchant that does not fit any of the above categories and any eligible service provider.


Resources

PCI Security Standards Council:

https://www.pcisecuritystandards.org/index.shtml

Visa CISP:

http://www.visa.com/cisp

MasterCard SDP:

http://www.mastercard.com/sdp

14


Program Features and Value Proposition

15


TrustKeeper

• TrustKeeper is Trustwave's compliance portal that merchants will use to manage, track and validate their compliance status.

• TrustKeeper is the leading portal used by acquiring banks to monitor PCI DSS compliance status among merchants.

• TrustKeeper offers easy-to-use vulnerability assessment and management services to help merchants meet all their PCI DSS compliance requirements.


TrustKeeper Agent

• TrustKeeper Agent is an optional component of TrustKeeper that installs on Windows PCs or PC based payment terminals.

• TrustKeeper Agent:– Assists with setting up and managing vulnerability scans

– Collects information needed to answer technical system questions and reports back to TrustKeeper

– Monitors systems to ensure the security and data storage settings meet the requirements of the PCI DSS

– Provides information for summarized and detailed reports in TrustKeeper


Welcome Splash Page

18


PCI Wizard Choice

19


PCI Wizard for a Dial-up Merchant

20


Questions and Help Text

21

How Do I Choose?


Resolve Issues with Remediation Advice

22


Pre-Filled SAQ for Merchant Review

23


Certificate of Compliance

24


Security Policy Advisor

25

TrustKeeper’s Security Policy Advisor


Security Awareness Training

26


TrustKeeper Agent

27

Documents

PCI 101. Trustwave Corporate Profile Copyright Trustwave 2008 Confidential 2009 SC Magazine “Recommended” Managed Security Services Forrester 9 out of