How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit

Similar documents
Protegrity Vaultless Tokenization

Ways Global FOR RETAIL

Is Your Payment Card Data Secure Enough?

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Data Protection and PCI Scope Reduction for Today s Businesses

SOLUTION BRIEF BIG DATA SECURITY

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Comodo HackerGuardian PCI Approved Scanning Vendor

Protecting Your Data in the Cloud. Ulf Mattsson Chief Technology Officer ulf.mattsson [at] protegrity.com

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

SECURITY PRACTICES OVERVIEW

First Data TransArmor VeriFone Edition Abbreviated Technical Assessment White Paper

Tokenisation for PCI-DSS Compliance

Simplify PCI Compliance

The Realities of Data Security and Compliance: Compliance Security

Business white paper Data Protection and PCI Scope Reduction for Today s Businesses

University of Sunderland Business Assurance PCI Security Policy

Merchant Guide to PCI DSS

Security Update PCI Compliance

Brochure. Data Masking. Cost-Effectively Protect Data Privacy in Production and Nonproduction Systems

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Payment Card Industry - Data Security Standard (PCI-DSS)

Reducing PCI Compliance Costs and Effort with SafeNet Transparent Tokenization

Data Sheet The PCI DSS

PCI Compliance: It's Required, and It's Good for Your Business

Commerce PCI: A Four-Letter Word of E-Commerce

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

FIS Global Partners with Asigra To Provide Financial Services Clients with Enhanced Secure Data Protection that Meets Compliance Mandates

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

PCI Compliance in Oracle E-Business Suite

in PCI Regulated Environments

Using InterSystems IRIS Data Platform for Securely Storing Credit Card Data. Solution Guide

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

PCI COMPLIANCE IS NO LONGER OPTIONAL

Beyond PCI A Cost Effective Approach to Data Protection

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Smart Payments. Generating a seamless experience in a digital world.

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Security and PCI Compliance for Retail Point-of-Sale Systems

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

A QUICK PRIMER ON PCI DSS VERSION 3.0

Segmentation, Compensating Controls and P2PE Summary

PCI DSS and the VNC SDK

GUIDE TO STAYING OUT OF PCI SCOPE

Tokenisation: Reducing Data Security Risk

Bridging the Gap Between Privacy and Data Insight

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

PCI Compliance Simplified A Case of Airport Parking System PCI Readiness

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Navigating the PCI DSS Challenge. 29 April 2011

Cloud Communications for Healthcare

PCI compliance the what and the why Executing through excellence

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

THE TOP 5 DEVOPS CHALLENGES

COMPLETING THE PAYMENT SECURITY PUZZLE

PCI DSS Q & A to get you started

Five Reasons It s Time For Secure Single Sign-On

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

The Hidden Costs of Free Database Auditing Comparing the total cost of ownership of native database auditing vs. Imperva SecureSphere

Webinar: How to keep your hotel guest data secure

Validated P2PE for Reduced Compliance Scope, More Peace-of-Mind

PCI DSS Illuminating the Grey 25 August Roger Greyling

Projectplace: A Secure Project Collaboration Solution

Introduction to the PCI DSS: What Merchants Need to Know

How to Take your Contact Centre Out of Scope for PCI DSS. Reducing Cost and Risk in Credit Card Transactions for Contact Centres

Six Sigma in the datacenter drives a zero-defects culture

PCI DSS COMPLIANCE 101

Oracle Database Vault

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

How do you manage your customers payment card details securely and responsibly? White paper PCI DSS

OnRoute Mail Tracking Solutions. Mail Channel Intelligence for Your Critical Business Processes

MODERNIZE INFRASTRUCTURE

Simple and secure PCI DSS compliance

Site Data Protection (SDP) Program Update

First Financial Bank. Highly available, centralized, tiered storage brings simplicity, reliability, and significant cost advantages to operations

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Disaster Recovery and Business Continuity

RED HAT ENTERPRISE LINUX. STANDARDIZE & SAVE.

BUILDING the VIRtUAL enterprise

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

How Microsoft IT Reduced Operating Expenses Using Virtualization

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Evolved Backup and Recovery for the Enterprise

34% DOING MORE WITH LESS How Red Hat Enterprise Linux shrinks total cost of ownership (TCO) compared to Windows. I n a study measuring

White paper PCI DSS. How do you manage your customers payment card details securely and responsibly?

The Next Generation of Credential Technology

Payment Card Industry Data Security Standards Version 1.1, September 2006

Complying with PCI DSS 3.0

About MagTek. Secure Card Reader Authenticators

Daxko s PCI DSS Responsibilities

FIVE REASONS IT S TIME FOR FEDERATED SINGLE SIGN-ON

Payment Card Industry (PCI) Data Security Standard

Virtualizing the SAP Infrastructure through Grid Technology. WHITE PAPER March 2007

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

Dell EMC HyperConverged Infrastructure

Customer Compliance Portal. User Guide V2.0

Transcription:

How to Dramatically Lower the Cost and Pain of the Yearly PCI DSS Audit Executive Summary The annual Payment Card Industry Data Security Standard (PCI DSS) Audit is expensive in two ways: Out of Pocket Costs Companies pay on average $225,000 for their annual PCI audit (and 1 out of 10 pays $500,000 per year for the annual security compliance audit)1. Opportunity Costs The time consuming audit places a major burden on your staff, taking them away from productive activities for long periods of time. Companies look to minimize or eliminate the annual cost of PCI audits and in addition, they are looking to move beyond the constant vulnerability of Primary Account Number (PAN) data, which they consider toxic. They want peace of mind in knowing that they are removing all of the PAN data from their environment. Who should read this? Retail executives responsible for data security and who want to cut costs. What will you learn here? Ideas on how to slash the cost and complexity of PCI compliance audits by shrinking the Cardholder Data Environment using Vaultless Tokenization.

What is PCI DSS? Payment Card Industry Data Security Standard (PCI DSS) is a program created by Visa, MasterCard and others to ensure that credit card data is secure and protected. Retailers who process credit cards are subject to an annual security audit by Quality Security Assessors (QSAs). This is an intensive and expensive endeavor. It is done annually because changes occur in the cardholder data environment (CDE). The security standard is well established. Visa reports that 98% are PCI compliant in Level 1 (>6m VISA transactions/year) and 92% of Level 2 (1-6M VISA transactions/year 2 ). L1 and L2 account for 2/3 of all transactions. What is the Cost and Complexity of the PCI Audit? You might be thinking If it ain t broke, why fix it? In other words, if your data is encrypted and you are one of the Level 1 or 2 merchants with PCI DSS compliance certification, why change? The bottom line is that, while you are likely PCI compliant today, the yearly burden is considerable. First, there s the direct cost estimated to hit companies with an annual PCI audit bill of $225,000. Second, there s the burden on in-house staff. The audit consumes a large amount of staff time that could be better spent on revenue generating tasks. These audits certify the IT environments every year to account for any changes that may have occurred in the CDE. By using Vaultless Tokenization from Protegrity, retailers can eliminate most of their audit costs while freeing up staff, by reducing the size of the Cardholder Data Environment (CDE). The CDE is The people, processes, and technology that store, process or transmit cardholder data or sensitive authentication data including any connected system component. 2 US PCI DSS Compliance Status, VISA, March 31, 2012 2

How Can Vaultless Tokenization Reduce the Cost of the Yearly PCI Security Audit? The key to reducing the cost of the yearly PCI security audit is to take systems out of scope. If you can show systems are not processing credit card data, they are no longer subject to audit. The key is to reduce the size of the CDE. Your Quality Security Assessor (QSA) will determine what is and is not in scope. Look at the typical retail environment using encryption in Figure 1 below. Every represents a system using encryption and subject to PCI audit encompassing the entire CDE. As you can see below, all of their systems are in scope and hence consuming budget dollars and staff time. Figure 1 PCI DSS Compliance achieved with Encryption Retail Channels Merchant Headquarters Central Key Management Settlement E-COMMERCE Payment Processes Customer Service STORE HQ Transaction Aggregation ERP Business Functions Loss Prevention Sales Analysis = Encryption = PCI Audit 3

Now let s look at Figure 2 - a retailer who has deployed a new process using Vaultless Tokenization shrinking the CDE. Note how almost all of the red encryption circles are gone and replaced with designating tokens. The CDE has shrunk considerably to only include systems that tokenize or de-tokenize. Systems like Customer Service, ERP, Loss Prevention, and Sales Analysis hold tokens with business intelligence rather than the PAN and they are no longer subject to the PCI audit. Tokens with business intelligence are secure while revealing part of the number (first six digits and last four) enabling them to be used in business processes without the need to de-tokenize. This is how companies shrink the CDE, reducing PCI audit costs. Figure 2 PCI DSS Compliance achieved with Vaultless Tokenization Retail Channels Merchant Headquarters Central Tokenization Management Settlement E-COMMERCE Payment Processes Customer Service STORE HQ Transaction Aggregation ERP Business Functions Loss Prevention Sales Analysis = Encryption = PCI Audit = Tokenization 4

How is Vaultless Tokenization Different from Vault-Based Tokenization? You may have heard about tokenization or you may have had some experience with tokenization. Why hasn t tokenization exploded into the scene and replaced encryption? It s simple. The vault was getting in the way and creating operational inefficiencies. First generation vault-based tokenization has not materialized as the PCI DSS killer app because of its implementation approach. PAN data is replaced with tokens and the actual PAN is stored in a database table in a token server. As new PAN data is tokenized, the vault grows and grows becoming large and unmanageable, resulting in excessive total cost of ownership. Vaultless Tokenization is the most cost-effective data protection strategy available today. Vaultless Tokenization is the latest advancement in a long line of data security strategy improvements. Over time, as improved strategies advance, total cost of ownership goes down and down. As shown in Figure 3, Vaultless Tokenization is the most cost-effective data protection strategy available today. Figure 3 Evolution from Encryption to Tokenization Reduction of Audit Burden & TCO with New Protection Techniques Low Input Value: 3872 3789 1620 3675 PCI Audit Burden & TCO Vault-based Tokenization Greatly reduced Key Management Format Preserving Encryption DTP, FPE Format Preserving Vaultless Tokenization No Vault 8278 2789 2990 2789 8278 2789 2990 2789 8278 2789 2990 2789 Strong Encryption AES, 3DES!@#$%a^.,mhu7///&+!@ High 5

Compared to vault-based tokenization, Vaultless Tokenization removes the problem of the vault. As a result, it has a tiny footprint and uses commodity hardware. It also provides industry leading performance. And because it requires no data replication, collisions are eliminated, and latency is reduced. Vaultless Tokenization from Protegrity drives down your cost of ownership. Vaultless Tokenization addresses several key requirements: Performance Scalable and highly available Vaultless tokenization delivers greater than 200K tokens per second and can scale to even greater performance. Delivers easy to use token clusters. Token Servers can be easily added to token clusters on top of virtualization platforms such as VMWare, Xen, and Hyper-V. Deploy to many data centers Transparent tokens with business intelligence Unique tokens Deploys a consistent solution globally for production and data recovery. Large enterprises operate geographically distributed data centers. Vaultless Tokenization can easily be deployed to different data centers without the need to synchronize these Token Servers. This reduces complexity and contributes to the reduced Total Cost of Ownership (TCO). Business processing with no disruption to production environment. Since the business intelligence is embedded in the token, there is no need to de-tokenize. Business functions have what they need to continue their role in the business without modifications. Support PCI DSS Distinguishability best practice with several approaches to facilitate the differentiation between actual credit cards and tokens. In Conclusion Protegrity Vaultless Tokenization is a modern, efficient data protection approach that delivers robust performance while dramatically lowering the cost and complexity of the annual PCI audit, by shrinking the CDE. Where to Find More Information If you want to learn more about how to get much better PCI DSS protection at vastly lower cost, talk to Protegrity today. Call us at 203.326.7200 or email info@protegrity.com. 6

A Retail Customer Example Oil Company with Convenience-Stores and Teradata Enterprise Data Warehouse This company wanted to cut the cost and time of their yearly PCI Audit. At the start of the project, the audit was taking 7 months. After implementing Vaultless Tokenization to reduce the size of the CDE environment, they were able to reduce the audit to just 3 ½ months. This company also saw a huge performance boost. They started by tokenizing all the existing data in their Teradata Enterprise Data Warehouse (EDW). They started using vault-based tokenization, and then redeployed using Vaultless Tokenization. Look at the time required to process 50 million PANs: 1. Vault-based Tokenization 30 days 2. Protegrity Vaultless Tokenization 90 minutes Vaultless Tokenization offers massive improvements in throughput from a full month down to 90 minutes! Best practices suggest starting with the EDW because all of your PAN information ends up there. For complete analysis capabilities, you want as much information included in the EDW as possible. And it all needs to be secure. Ultimately, by sending tokens with business intelligence to the data warehouse, we are able to take the EDW out of scope. Bottom Line: Vaultless Tokenization offers superior performance and the lowest total cost of ownership for a data protection strategy available to today. For more information Telephone: 203.326.7200 Email: info@protegrity.com www.protegrity.com About Protegrity Headquartered in Stamford, CT, Protegrity provides high performance, infinitely scalable, end-to-end data security solutions that protect sensitive information across the enterprise from the point of acquisition to deletion. The company s award winning software products span a variety of data protection methods, including end-to-end encryption, vaultless tokenization, masking and monitoring and are backed by several important data protection technology patents. Currently, more than 200 enterprise customers worldwide rely on Protegrity s comprehensive data security solutions to enable compliance for PCI DSS, HIPAA and other data security requirements while protecting their sensitive data, brand, and business reputation. Copyright 2012 Protegrity Corporation. All rights reserved. Protegrity is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners. 6/2012 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback