Data Security and Payment Card Acceptance

Presented by:

Brian Ridder

Senior Vice President

First National

September 10, 2009

Presentation Overview

• Why Should I Care?• Safety in “Numbers”• PCI – What is This? • PCI “Digital Dozen” – Does it Make

a Difference?• Legislation – Uncle Sam and

Friends are Here to Help• Future Steps• I’ve Been Breached, What Happens

Next?

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

Why Should I Care?• Do you have insurance for identifiable business

risks?• Is it challenging to attract new and retain existing

customers?• Are credit or debit cards are meaningful percentage

of your payment tender types?• Do you want to focus your resources on growing

your business or possibly seeking out your customers to notify them that they payment card information has been compromised?

• Do you believe negative events at your company can impact your brand?

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

Safety in Numbers? Not so much …

• 2004 – BJ’s Wholesale• 2005 – Designer Shoe Warehouse (DSW)• 2007 – TJ Maxx, OfficeMax, Dave & Busters, 7- 11• 2008 – Hannaford Brothers Grocery

• Dec 2007 to March 2008 – 4 million cards• 1,800 fraudulent charges made – 21 civil claims

• 2009 – Heartland Payment Systems• Fall 2008 to January 2009 - to date $12.5 million in fines.

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

According to a report released August 17, 2009 by the Ponemon Institute and funded by encryption firm PGP, the cost of a data breach for companies has risen to $202 per lost record, up from $197 in the institute's 2007 study. For the 47 companies audited in the study, those costs added up to $6.6 million per incident.

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

PCI – What is This?

Collaborative based approach by major card brands: Visa, MasterCard, Discover, Amex, JCB to address card industry data security on a proactive and unified approach.

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

PCI “Digital Dozen” – Does it Make a Difference?Build and Maintain a Secure Network1. Install and maintain a firewall configuration to

protect data2. Do not use vendor-supplied defaults for system

passwords and other security parametersProtect Cardholder Data3. Protect stored cardholder data4. Encrypt transmission of cardholder data across

public networks

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and

applicationsImplement Strong Access Control Measures7. Restrict access to data by business need to

know.8. Assign a unique ID to each person with

computer access.9. Restrict physical access to cardholder data

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security.

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

To become compliant what does a company need to do?

1. Complete a Self Assessment Questionnaire (SAQ)2. Complete a network vulnerability scan if you have a

external connection.3. On site PCI audit if you are a large card transacting

merchant.

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

Does PCI - the Digital Dozen make a difference?

Merchant awareness :

Merchant action:

Post breach forensic findings:

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

Legislation – Uncle Sam and Friends are Here to Help You.

• 2009 Legislation

• 2008 and prior legislation

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

Likely Future Industry Steps

• Credit card processors will really expect compliance

• Solutions for non-access storage

• End to end encryption

•

SAMPLE TEXT

© FIRST NATIONAL BANK

Data Security and Payment Cards

I’ve Been Breached, What Do I Do?

1. Immediately contain and limit the exposure. Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information. Preserve evidence and help facilitate the investigation.

2. Alert all necessary parties immediately. :

– Your internal information security group and incident response team. – Your merchant bank. – Your local office of the United States Secret Service.

3. Provide all compromised payment card accounts to your merchant bank within 10 business days. The payment brands will distribute the compromised account numbers to Issuers and ensure the confidentiality of entity and non-public information

Contact information:Brian Ridder

Senior Vice President

First National Merchant Solutions

bridder@fnni.com

402-633-1875