PROTECT AGAINST A DATA BREACH & ADDRESS PCI DSS COMPLIANCE WITH TRUSTCOMMERCE

| WHITE PAPER

© 2017 TrustCommerce. All Rights Reserved.No part of this document may be distributed, reproduced or posted without the express written permission of TrustCommerce.

p 800.915.1680 | www.trustcommerce.com

Businesses are comprised of a complex ecosystem of databases, systems and networks. These infrastructures are regularly under attack by cybercriminals attempting to obtain customer information. A single data breach can compromise millions of card numbers and cause billions of dollars in damage to the economy.

According to the 2016 Cost of Data Breach Study: Global Analysis, the average cost of a breach to a company was $4 million in US dollars.1 Target Corporation has incurred $300 million in costs arising from the data breach that affected approximately 70 million customers.2 We can learn from the headlines just how important it is to be proactive about securing sensitive card holder data. But, all too often, merchants do not prepare and are caught off guard when a data breach happens.

The Payment Card Industry (PCI) Security Standards Council (SSC), an independent body, is the leading provider of security standards and best practices for credit and debit card handling. Visa, MasterCard, American Express, Discover, and other card brands mandate that all organizations that accept, transmit, store, or otherwise handle cardholder3 data must comply with all applicable

requirements in the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It is intended to help organizations proactively protect electronic payment data.

Businesses struggle with achieving and maintaining compliance. Only 29% of the companies were still in compliance with the PCI DSS a year after a successful validation.4 Compliancy is not a one and done effort, but an ongoing, daily commitment.

Being proactive about security and compliance is essential. There is no guarantee that a company’s data will not be hacked or compromised, so it is as much about prevention as it is about cure.

Security is often viewed in the same context as insurance. You know you need it, but you never truly appreciate it until after an event takes place, and only then, are you truly glad to have it. In this whitepaper, you will learn the ways to utilize TrustCommerce solutions to protect payments and address PCI DSS compliance.

The average cost of a breach to a company was $4 million in U.S. dollars.

LAYER SOLUTIONS FOR ROBUST PAYMENT SECURITY

INTRODUCTION

If unprepared, the inability to safeguard customer account information can be insurmountable. Consider the following: What is the impact of a public relations fallout towards a brand? How many years will it take to rebuild a brand and customer base? How many years of litigation will follow? Companies large and small face the same critical issues and devastating effects.

The average global cost incurred for each lost or stolen record containing sensitive and confidential information is $158 and varies per industry. For example, healthcare has the highest cost per stolen record with the average cost for organizations reaching as high as $355.5

The average

global cost

incurred for each

lost or stolen

record containing

sensitive and

confidential

information

is $158.

Legal Productivity Financial Marketing

» Litigation from customer losses

» Discovery, response, and notification costs

» Regulatory fines

» Outside legal fees

» Lost employee productivity as they are refocused to address breach issues

» Increased call center costs

» Contractors hired to respond to issues

» New process development to guard against future incidents

» Additional security

» Training business units to respond to the breach

» Lost customer base

» Resulting fees from non-compliance

» Public relations

» Discounted product offers to regain customers

» Rebranding, brand building, and other efforts

UNDERSTANDING THE COSTS

COSTS RESULTING FROM A DATA BREACH CAN INCLUDE:

Now that you know the costs, how do you limit your liability and mitigate the risk while addressing ongoing compliance? Leverage multiple solutions available today to employ a layered approach to security. By layering solutions, you can keep cardholder data out of merchant systems; protect transactions in flight and at rest. TC SMART Products®, TrustCommerce’s comprehensive suite of payment solutions, reduce the risk, liability and exposure of electronic payment acceptance. Merchants can use these tools to reduce costs associated with PCI DSS by taking the following steps:» Defer all payment acceptance, transmission, storage,

and other handling to secure, PCI validated payment processing solutions, such as those offered by TrustCommerce.

» Replace all payment systems with those implementing PCI-approved/validated encryption solutions, such as those offered by TrustCommerce.

» Eliminate the storage of all payment data within the merchant environment, whether encrypted or otherwise.

Here are the tools:

PCI Validated Point to Point Encryption (P2PE)

Data is useless if it cannot be read. TrustCommerce supports point-to-point encryption through the use of encrypting devices. Why is P2PE important? It protects payments in transit – from the initial swipe, dip, or key entry, to settlement. With TrustCommerce’s integrated software solution, payment processing is not possible

without the TrustCommerce key-injected point-of-sale (POS) device, helping to prevent malware attacks.

With P2PE:

» Cardholder data does not enter merchant environment in the clear.

» Merchant does not hold the keys to decrypt the data.

TrustCommerce is an advocate of SRED (Secure Reading and Exchange of Data) devices with hardware encryption and supports several different hardware encrypting devices from major manufacturers. Encrypting at the card reader, more secure than using software encryption, protects against POS RAM scraping malware such as that used in recent notable data breaches. For back office and call center environments, encrypted 10-key devices are strongly recommended to encrypt the card information as it is keyed into the system.

Nearly 64% of businesses store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN).6 Even if the card information is stored for a few milliseconds while the system passes it to the processor, it can be intercepted, and sent into the hands of thieves.

Why take the risk when encryption solutions are readily available?

Nearly 64% of businesses store the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN).6

HOW DO YOU LIMIT YOUR LIABILITY AND MITIGATE RISK WHILE ADDRESSING COMPLIANCE?

REDUCE RISK, LIABILITY, & EXPOSURE

Tokenization is a great complement to P2PE. It replaces sensitive Primary Account Number (PAN) data with a unique identifier known as a token, which, as long as the token is derived independently of the PAN data, is

useless to anyone who may intercept it. Merchants can use the token to facilitate on-demand, subscription, or recurring transactions without the risk or liability associated with storing the sensitive PAN data, which is stored securely in TrustCommerce’s encrypted environment. Once generated, payment tokens are used as if they are the actual primary account numbers or cardholder account numbers (CHAN) for any supported payment types.

Primary Account Numbers, such as payment card numbers, represent considerable risk to brand and business continuity, not to mention the hefty costs incurred when PAN data becomes exposed. By far, the best solution is to eliminate PAN from the merchant environment. When PAN data is first transmitted the data should be in an encrypted form rendering it useless to anyone other than the key holder. With tokenization, a token is requested in the initial transaction and that token is used in subsequent transactions. The tokenization process is seamless to the customer as they, and the merchant, are only allowed to see the last four digits of their card on file.

TrustCommerce tokens are randomly generated and have no relation to the original PAN data. They are also unique for each client, not shared. These tokens make the exposure of PAN data impossible, they cannot be used to arbitrarily charge cardholders, and cannot be used to glean other sensitive information.

TC Citadel tokens are referred to as Billing IDs and are formatted as alphanumeric strings of six or more digits. Merchants exchange credit card numbers, ACH information, or other customer privacy data elements for TrustCommerce issued Billing IDs. TC Citadel can accommodate recurring, installment and deferred payment types.

By removing the data, you minimize your liability and allow specialists to take on the burden of storing, managing and protecting it. By storing data away from servers, networks and systems, you reduce your risk and may lower your cost of compliance.

TC Citadel includes token management solutions: TC CardCurrent™ Account Updater and TC Unstore. TC CardCurrent helps you keep accurate customer payment card data on file when accepting repeat, recurring and installment payments. TC Unstore allows you to unstore stagnant Billing IDs in bulk.

Tokenization solutions, such as the TC Citadel, allow payment applications to defer the risks and costs of PAN retention to TrustCommerce, specialists in the secure and compliant storage of such data.

SECURE TOKENIZATION SOLUTIONS

TC CITADEL®: TOKENIZATION, TOKEN MANAGEMENT & SECURE STORAGE

By removing credit card data from the merchant’s environment, TrustCommerce solutions empower merchants to proactively address the ongoing burden of compliance and security.

SECURE TRANSACTION PROCESS FLOW

TC Trustee®: Secure E-Commerce

Most businesses offer a way for customers to pay online. Whether patients pay co-pays and balances; riders pay for monthly parking or transit passes; or a shopper buys a new sweater, online offers customers the convenience of making a payment or purchase anytime. Accept online payments securely using TC Trustee. This family of solutions helps businesses keep sensitive payment data off their systems and servers. Doing this can reduce exposure and liability and may be helpful in addressing PCI DSS compliance because web applications fully implementing TC Trustee do not store, process, transmit, or see the payment card data.

TC Trustee® Premier hosted payment page delivers secure e-commerce payment acceptance, reduced PCI scope, and branding continuity all with minimal development effort. Designed for i-Frame, modal windows, or standalone pages, payment pages are designed to scale automatically for desktop, tablet and mobile use. Using TC Trustee Premier, merchants do not capture, transmit, or store sensitive payment information. TC Trustee Premier seamlessly matches client’s specific style and/or CSS providing a consistent, uninterrupted checkout experience.

TC Trustee® API is a transparent redirect solution that seamlessly integrates into the checkout process of a merchant’s shopping cart, payment page, or other online payment system. Customers enter their credit card data on a form on the merchant’s web site, submit the payment form, and the data is seamlessly redirected to the TrustCommerce payment gateway. TrustCommerce transmits the sensitive cardholder data and returns

the response from the card brand. It leverages the dependability, security, and performance of the TrustCommerce payment acceptance platform and is integrated into the TC Vault® reporting.

By removing credit card data from the merchant’s environment, TC Trustee API empowers merchants to proactively address the ongoing burden of compliance and security. Combined with tokenization, the merchant can maximize the customer’s online experience and encourage them to return in the future.

PayWithIt®: Secure Mobile Payment Acceptance

PayWithIt mobile payment acceptance app is available for iOS through iTunes and Android through Google Play. PayWithIt uses point-of-interaction (POI) encryption with anti-skimming, memory mitigation, encryption and the highly secure TrustCommerce processing and reporting products. Sensitive information is not stored or retained within the PayWithIt application.

Security features include:

» Encrypting mobile card readers, manual entry restriction» AVS and CVV support» Strong encryption for all communication» Ability to restrict user access via TC Vault

Conclusion

Keep sensitive data out of your environment and use a layered approach to protect payments and address ongoing compliance. With TC SMART Products, you can build the strongest defense while saving time and money.

REFERENCES1https://securityintelligence.com/media/2016-cost-data-breach-study/2https://www.adaware.com/blog/cost-of-target%E2%80%99s-holiday-season-data-breach-300-million/3Cardholder refers to primary account numbers (PANs) a.k.a. cardholder account numbers (CHAN) a.k.a. credit/debit card numbers and related data, whether encrypted or otherwise.4http://www.digitaltransactions.net/news/story/Nearly-Two-Thirds-of-Organizations-Fall-Out-of-PCI-Compliance-a-Year-Later_-Report5https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN6http://www.net-security.org/secworld.php?id=17135

TC TRUSTEE®: WEB-BASED E-COMMERCE APPLICATION & PAYWITHIT MPOS

TrustCommerce is the leading technology and solutions provider in the Electronic Payment & Risk Management (EPRM) industry, providing services to some of the largest Healthcare Providers, Insurance Companies, State Transportation Agencies, Municipalities, and Fortune 500 companies in the United States. TrustCommerce offers a wide range of products and services that protect and serve customers with a focus on security, data protection, and risk mitigation.

In 2001, TrustCommerce introduced the tokenization model for subscription-based merchants, which replaced cardholder data with a Billing ID. As the originator of tokenization to remove stored data from a merchant’s environment, we remain

focused on protecting cardholder data as it flows through the payment lifecycle. Whether processing in a face-to-face retail environment, or as a card-not-present e-commerce environment, TrustCommerce products protect our clients and reduce their risk.

TRUSTCOMMERCE IS THE LEADING PROVIDER OF SECURE PAYMENT SOLUTIONS SERVING THESE AND OTHER KEY INDUSTRIES:

› Healthcare› Retail & E-commerce› Parking› Education› Municipalities› Insurance› Non-Profit

For more information on TrustCommerce solutions or to become a partner, please visit: TrustCommerce.com/contact-us/

p 800.915.1680 | w www.trustcommerce.com

ABOUT TRUSTCOMMERCE