PCI at the POS / What’s New, What’s Next, and What Merchants Can Do to Simplify Compliance

OCTOBER 19, 2016

1 Welcome

Agenda• Introduction & objective

• About Ingenico Group

• Deep dive into PCI

• PCI Committee meeting recap

• The evolution of PCI

• How can merchants simplify compliance?

• EMV

• PCI strategies and best practices

• Ingenico Group PCI solutions

• Q&A

4

Speaker Introduction

Rob Martin

Vice President of

Security Solutions

Ingenico Group / North

America

Nate Potter

Director of Strategic

Retail Accounts

Ingenico Group / North

America

5

PollWhat is your biggest security challenge or pain point?

A. P2PE

B. PCI compliance

C. EMV chargebacks and migration

D. All of the above

About Ingenico Group2

7

Global Presence / Local Knowledge

170

88

25

countries

R&D centers

locations

78

27M

5,800

nationalities

employees

terminals

8

Ingenico Group’s offer / end-to-end solutions

Mobile

Solutions

Security

Solutions

Smart

Terminals

Services

& SupportOnline

PCI at the POS3

10

PCI – The Basics

11

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a

proprietary information security standard for organizations that handle

branded credit cards from the major card schemes including:

12

PCI / standards explained

The various aspects of the security card holder data include:

PCI Data Security

Standard (DSS) –Covers the security of the

card holder data

environment.

PA-DSS (Payment

Application Data

Security Standard) –covers application security

for payment applications

with access to cardholder

data

PCI PTS (PIN Transaction Security) –Security requirements for payment terminals.

The requirements have expanded over the last

several years from only covering PIN Entry

Devices to now cover the Secure Reading and

Exchange of Data (SRED) and the use of

public/open protocols

Requirements for Point-to-

Point Encryption solutions

- The requirements cover all

aspects of a P2PE solution,

including the payment terminal,

the terminal application,

deployment, key management,

and the decryption environment.

13

Who needs to be PCI compliant?

14

Who needs to be PCI compliant?

• If you accept, process, store or transmit credit card information you need

to be PCI compliant.

Regardless of business size Regardless of the number of

transactions

15

What happened during September’s PCI Community

Meeting?

16

Notes from meeting

North America Community Meeting was held in September

• Discussion of the threat landscape with a focus on security over compliance.

• The 2016 Verizon Data Breach Investigation Report (VDBIR or Verizon Report) showed again

that the overwhelming majority of successful attacks are not coming from “zero day” attacks

but from known and patched vulnerabilities.

• POS malware (RAM-scrapers) is still very successful for the criminal attackers.

• As one sector devalues their data through P2PE, those that haven’t become the targets. For

example, Lodging was attacked in 2015 as major retailers – the main target from the previous

years – had incorporated P2PE.

17

The evolution of the PCI standards

18

The evolution of the PCI standards

PCI DSS 3.1 expires October 31st | PCI DSS 3.2 starts November 1st

• PCI issued PCI DSS v3.2, the latest version of PCI DSS v3, in April.

• The updates include a number of clarifications, updated guidance, and some new

requirements.

• Evolving requirements in the PCI DSS are due to the evolving threat landscape

from criminal entities targeting payments information and payments systems.

19

Why do all QSAs interpret the rules differently?

Where can they get good, secure advice?

20

Why do all QSAs interpret the rules differently?

Where can they get good, secure advice?

Get clear on PCI DSS

All QSAs are working off the same training, requirements, FAQs, and guidance from

PCI SSC.

PCI SSC QA department works to ensure the assessments are consistent across

the industry

FAQs and guidance from PCI SSC change over time. Your QSA could be acting on

new FAQs or guidance.

If you and your QSA are interpreting the rules differently, talk to your acquirer. Your

acquirer is the holder of the ROC and the arbiter on what they will accept or not

accept.

21

What upcoming PCI changes could influence merchants

and what can they do to prepare?

22

What upcoming PCI changes could influence merchants

and what can they do to prepare?

PCI P2PE

Vulnerabilities

Omni-Channel

and move to

CNP Fraud

Breach

detection gap

23

What upcoming PCI changes could influence merchants

and what can they do to prepare?

PCI P2PE

• When PCI P2PE v2 was released last

year, there were only a handful of

solutions worldwide that were validated.

• The number of validated solutions has

doubled

• The number of validated solutions and

components is expected to continue to

grow

24

What upcoming PCI changes could influence merchants

and what can they do to prepare?

Vulnerabilities

• The Verizon Data Breach Investigation

Report (Verizon Report) showed that

2015 data breaches were from known

vulnerabilities with patches available

• PCI and Visa are already reacting to this

• VISA is requiring Tier 4 merchants (small

merchants) use a Qualified Integrator

and Reseller for the installation of

payment systems

25

What upcoming PCI changes could influence merchants

and what can they do to prepare?

Omni-Channel and Movement of Fraud to

CNP

• EMV is moving fraud from the point of

acceptance to card-not-present

• Merchants are adopting omni-channel

offerings to unify physical presence, m-

comm, and e-comm

• Merchants should adopt unified, multi-layer

security strategies that cover all channels for

payment acceptance in a consistent way

26

What upcoming PCI changes could influence merchants

and what can they do to prepare?

Breach Detection Gap

• Verizon Report and Ponemon study show

that most compromise attacks are

successful in seconds or minutes with data

exfiltration in minutes or days

• In 83% of attacks, detection took weeks or

more

Source: 2016 VDBIR Executive Summary

Most of the detection was external – financial institutions or

law enforcement

EMV Migration4

28

What has happened to card present fraud in the US, post

EMV liability shift?

29

What has happened to card present fraud in the US, post

EMV liability shift?

54%

77%

54% MasterCard reported decrease in

CP fraud for those who accept

EMV

VISA reported decrease in CP

fraud

MasterCard reported increase in

CP fraud for those who DO NOT

accept EMV

30

With the card brands changing the liability shift chargeback

rules, why should a merchant with high volume and small value

tickets move to EMV?

31

Reasons to move to EMV

EMV is a critical component of an enhanced Multi-layered security

• The adoption of these technologies generally requires a system upgrade/uplift

• The business case for the uplift can come from chargebacks or from data protection/brand protection

• If a merchant is a small ticket merchant, the business case for system uplift will likely come from the addition of P2PE and, if applicable, tokenization for data and brand protection. When a merchant does this, they should include EMV as part of their security uplift project.

• With these security measures in place, if there is a successful attack on the POS, it will not yield data that can be monetized

32

What strategies does Ingenico Group recommend?

33

Recommendations / strategies at the point of acceptance

P2PE and semi-integrated can assist merchants in their compliance burden.• A PCI P2PE validated solution is best to alleviate a merchant’s compliance burden.

Multi-Layered Security

Semi-Integrated

Architecture

34

What does Ingenico Group recommend to meet inspection

requirements (PCI DSS v3 requirement 9.9)?

35

Recommendations / how to meet inspection requirements

Ingenico Group recommends a multi-layer approach to meeting these requirements:

Query the unit serial number

either daily or as part of each

transaction to guard against

terminal substitution

Have staff do basic/checklist

inspection daily –look for size

changes, changes in cabling, or any additions to the

terminal.

Do regular, more detailed inspections

of the terminal

36

Recommendations / how to meet inspection requirements

Ingenico Group recommends the use of stands:

37

Ingenico Group’s Secure

Payment Solutions

38

PCI-ready / Ingenico Group Solutions

Our diverse suite of secure payment solutions that can help you become

PCI compliant:

iPP 310

iSC Touch

480

iSMP for iPod touch®

iCT 250

On Guard P2PE

Telium Semi-

Integrated Solution

Thank YouQuestions?