How to tackle the PCI Issue

Corporate PresentationGrand Connaught Rooms – 1st May 2012

Martin Gronow – Product Line Manager – TTB

Peter Jackson – Head of Risk Consultancy Group - IRM

Information Risk Management Plc

Information Risk Management Plc

3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421

info@irmplc.com http://www.irmplc.com

IRM is a company registered in England with Company Number 3612719.

IRM Key Facts & Background

• Founded in 1998 to provide assurance services to FTSE 250 companies• Technical Assurance• Network Security• Data forensics

• Joined CESG CHECK Scheme in 2001• Joined PCI DSS Scheme in 2005• Progressed into business risk consulting

• Compliance• Standards

• Defined CREST standards for network forensics

• Virtual team supplier to MoD and GCHG

Background• PCI DSS Services• Security Risk Assessment• Security Management• Technical Assurance• Network forensics managed services• Security Management Services

Service Portfolio

• NetFACTS• OmniPORT

Managed Services

“IRM has worked extremely hard to be flexible to meet our changing demands and requirements. They are our security partner of choice” CISO, Cable & Wireless Worldwide

Security, Privacy, TrustInformation Risk Management Plc

Information Risk Management Plc

3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421

info@irmplc.com http://www.irmplc.com

IRM is a company registered in England with Company Number 3612719.

Our Capability

CLAS and CHECK (Team Leader/ Team Member)PCI QSA / QFICISCO CCSPCHECKPOINT CCSA / CCSECISA / CISMSANS GIAC CHTQOSSTMM OPST / OPSA / TrainerGSECLead Auditor ISO 27001MBCSMScEnCeCISMPISC (2) CISSPISEB Business Continuity PractitionerConsultants background checked prior to employmentConsultants are cleared up to DV as required

Certifications

“IRM’s consultants are active within the security industry and sit on various panels and have been instrumental in establishing bodies such as CREST. “

Example Clients & Frameworks

Information Risk Management Plc

3rd Floor Winchester House | 259 – 269 Old Marylebone Road | London NW1 5RA | UK Tel+44 (0)20 7808 6420 | Fax +44 (0)20 7808 6421

info@irmplc.com http://www.irmplc.com

IRM is a company registered in England with Company Number 3612719.

Requirement For PCI

Fines for non-compliancy can include the following:

• Fines of $500,000 per data security incident

• Fines of $50,000 per day for non-compliance with

published standards

• Liability for all fraud losses incurred from

compromised account numbers

• Liability for the cost of re-issuing cards associated

with the compromise

• Suspension of merchant accounts

What is PCI DSS?

Stands for Payment Card Industry Data Security Standard

Purpose - Protecting Cardholder data to help prevent fraud.

Scope – any business that stores, processes or transmits cardholder data – including taking payments over the phone.

If these calls are recorded they become subject to PCI DSS.

Its requirement is the removal of the sensitive authentication data as per the table below. Violation is subject to fines.

CARDHOLDER DATA SENSITIVE AUTHENTICATION DATA

• Primary Account Number (PAN)• Cardholder name• Service Code• Expiration Date

• Full Magnetic Stripe Data• CAV2/CVC2/CVV2/CID • PIN/PIN Block

Data must encrypted or not stored Must not be stored

PCI EnforcementMerchants are classified according to the number of transactions processed.

•

Any merchant processing over 6m MasterCard and Visa card transactions per year

Any merchant processing 1m-6m Visa or MasterCard transactions per year

Any eCommerce merchant processing up to 1m

Visa or MasterCard transactions per year

Any merchant processing <20k or up to 1m Visa or MasterCard

transactions per year

Level 1

Level 2

Level 3

Level 4

Is PCI Mandatory?

• Yes – PCI compliance is a contractual obligation• Visa/Mastercard require all Merchants & Service

providers to be validated against PCI DSS V2.0• Smaller merchants not required to explicitly validate

compliance but…. • None compliance but may trigger penalties and/or

fines in the event of a breach.• Data breaches can be subject to Data Protection laws • The Information Commissioners' Office regards

compliance with PCI as basic best practice

The one big thing:

Cloud-based Hosted call recording solution

- Designed specifically to help customers meet PCI DSS

- Delivered with minimal cost, effort or disruption

The next big thing:

Hosted Call Recording PCI helps Prevent fraud.

- Removes sensitive information from vulnerable areas

- Live Agent telephone ordering

Simple but flexible:

- No complex integration

- Ideal for Remote workers or 3rd party Call Handling

- Disaster Recovery solution

Product/Proposition Overview

Benefits of Hosted Call Recording

Pay as you go serviceNo Set-up fees or capital investment

- No Maintenance or Upgrade costs

- Simple monthly charge

No capacity worriesCalls automatically recorded as they transit the network

- Record inbound, outbound or both

- No line or equipment limits

- Store for 1 day, 100 days or forever

Simple but flexible:

- Recordings stored at multiple locations

- Secure retrieval interface

- Ideal for Remote workers or 3rd party Call Handling