Payment Security Practices and Trends Report 2011

MERCHANT PRACTICES, TRENDS, AND BENCHMARKS

Table of Contents
EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 PAYMENT SECURITY OWNERSHIP AND DRIVERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 PAYMENT SECURITY MANAGEMENT PRACTICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 PAYMENT SECURITY OPERATIONS: Staffing & Compliance Management . . . . . . . . . . . . . . 12 PAYMENT SECURITY COSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 PAYMENT SECURITY MANAGEMENT TRENDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 REPORT AND SURVEY METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 RESOURCES AND SOLUTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 ABOUT CYBERSOURCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 ABOUT TRUSTWAVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Executive Summary
For most organizations, managing payment security efficiently and effectively continues to be a challenge. To help businesses understand management trends and practices among their peer group, CyberSource and Trustwave, in partnership with the Merchant Risk Council (MRC), commissioned the Payment Security Practices and Trends Survey. This report summarizes the surveys findings and provides insights and industry benchmarks as well as emerging industry trends.

Overview
Payment security entails managing and securing payment data across an organizations full order lifecycle, from the point of payment acceptance, through fraud management, fulfillment, customer service, funding and financial reconciliation, and transaction record storage. The presence of payment data at any of these points, whether on organization systems, networks or visible to staff, exposes the organization to risk. To combat this risk, the Payment Card Industry Data Security Standard (PCI DSS ) was created to help organizations protect their customers payment account information by providing increased controls around payment data and its exposure to compromise. As part of adhering to PCI DSS standards, all organizations that process payment data must perform an internal or external audit, and a network scan.
1

Report Highlights
A few highlights found in the survey and discussed in this report include: Brand Protection is Key Driver of Investment: The need to protect the organizations brand and its revenues was given as the primary driver for investment in payment security. Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal. Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security. Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.

Ultimately, however, the efficacy of an organizations payment security management operation comes down to the approaches and practices applied to securing data in three core areas: Capture and Transmission (Data in motion): Practices related to securing payment data as it is captured and transmitted by multiple sales systems, sales staff and customer service representatives throughout the order lifecycle. Storage (Data at rest): Practices related to securing payment data as it is stored in multiple databases and desktop applications, written on slips of paper by call center staff, and even on tape if customer service calls are recorded. Back-office Tasks: Practices related to securing payment data used by staff during the performance of multiple back-office tasks, including fraud management, chargeback management and payment reconciliation. The structure of this report examines responding organizations practices and trends in each of these areas, with the goal of understanding payment security investment drivers, organization structure, and the resulting relative costs of these practices.

PCI DSS Security Standards Council; https://www.pcisecuritystandards.org/

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Payment Security Ownership and Drivers

Ownership
There are four departments within organizations that are typically responsible for payment security. They include: IT, Finance, Legal or Compliance, and Operations. In the majority of organizations participating in the survey, payment security was managed by one of two groups: IT or Finance. For over half of all organizations (57%), the IT department maintains payment security ownership (see Chart 1). security is managed by Finance, compared to just 12% in Level 1 organizations. Further breakdowns by organization levels are shown in Chart 2 and Chart 3.

Note: The PCI DSS Security Standards Council defines four merchant or organizational levels2, based on annual transactional card volume processed. For this report, survey results were segmented into two groups: Level 1: organizations processing over 6 million global payment card transactions annually Level 2 4: organizations processing fewer than 6 million global payment card transactions annually Today, IT departments are most likely to have responsibility for payment security in both large and small organizations. However, the organizations number of annual transactions does matter: Finance tends to retain greater payment security ownership within Level 24 organizations. In fact, nearly a third (30%) of Level 24 organizations payment
2

PCI DSS Security Standards Council; https://www.pcisecuritystandards.org/

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Payment Security Ownership and Drivers

Ownership varies by industry. Although respondents reported IT ownership in well over half of the organizations, in each industry sector surveyed, there were several notable exceptions. Finance is more commonly responsible for payment security in both educational (80%) and government (50%) services organizations (see Chart 4).

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Payment Security Ownership and Drivers

Drivers of Payment Security Investment

Regardless of ownership within an organization, a primary driver for investment in payment security is the protection of the brand or revenue (selected by 69% of respondents), rather than avoiding bank fines for non-compliance (see Chart 5). One of the largest investments an organization can make is in the development and ongoing protection of its brand. Security breaches can significantly tarnish the brand image and affect long-term revenues.

Motivation for investing in payment security also varied by department. Both IT and Finance departments security investments were mainly driven by brand and revenue protection (for approximately 70% of respondents). However, in the instances where Legal departments owned the practice, the driver was more often to avoid fines. Different motivators for each group are likely due to the inherent corporate responsibility. For instance, IT needs to maintain an overall security perimeter to keep hackers from infiltrating the infrastructure and harming the brand; Finance seeks to ensure that all financial aspects remain efficient and that revenue continues to be generated and properly recognized; Legal wants to ensure legal obligations are met and remain in accordance with state and federal laws.

Breach Impact on Organizations

Motivators are likely related to the real impact a breach can have on an organizations brand, revenue and value. Consider the following:

Tarnished Brand
In the U.S., most states mandate that any organization suffering a breach must disclose it to the impacted individuals3. The media attention generated by a publicly disclosed breach can have a significant impact on the organizations brand reputation as well as on revenues. Statistically, in the first year of an occurence, more than 50% of the stories written about an organization are devoted to coverage of the breach4.

Customer Loss
Customers affected by a security breach are likely to lose confidence and change their future buying behavior. For instance, 55% of victims will have less trust in the organization, and approximately 30% will discontinue buying from that company in the future5.

Stock Valuation
Organizations can lose from 0.63% to 2.10% in stock price value when a security breach is reported. This equates to an average market capitalization loss of $860M to $1.65B per incident6.

3 4 5 6

National Conference of State Legislatures; http://www.ncsl.org/default.aspx?tabid=13489 Factiva; September 2006; Source: http://www.continuitycentral.com/news02793.htm Javelin Strategy and Research; June 2008; Source: http://www.tawpi.org/uploadDocs/Data_Breach_survey.pdf CMO Council; September 22, 2006; Secure the Trust of Your Brand

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Payment Security Ownership and Drivers

Sources of Payment Security Risk

Although security breaches by external hackers garner much public attention, threats that originate from within the organization can be equally damaging. Within an organization, payment data is exposed and at risk at many points in the order management process, from sales to the back-office. When asked about the risk of payment data being stolen by employees versus external hackers, organizations reported that the payment security threat was perceived as nearly equal (see Chart 6). The risk of breach from employees was perceived slightly higher (38%) in Level 1 organizations versus Level 24 (35%). This difference may be related to the challenge of monitoring a larger staff, in addition to the relative anonymity that exists in a larger company.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Payment Security Management Practices

Typically, organizations adopt either an on-site or remote payment security strategy, or have a hybrid approach as they transition from one to the other. With an on-site strategy, payment data is secured in-house and on the organizations own network and systems, using encryption and similar technologies. The focus of this strategy is to lock the payment data down to eliminate the security risk. In contrast, some organizations adopt a hosted or remote strategy, where payment data is captured, transmitted, and stored by a PCI DSS-certified payment service provider, which then returns secure tokenized payment information back to the organization. This strategy focuses on eliminating payment data from the environment, from capture through storage, versus securing it within the environment. The following sections examine the use of on-site and remote approaches as they relate to organizational practices during capture and transmission, data storage and performance of back-office tasks. Level 24 organizations are more likely than Level 1 organizations to use remote capture strategies in online and call center channels (see Chart 8).

Data Capture and Transmission

The survey asked respondents to report on the approach being used to secure payment data during capture and transmission across their various sales channels. Chart 7 shows organizational use of a remote strategy is currently highest in the call center channel, with point of sale (POS) close behind. Most organizations reported using primarily an on-site strategy in the online channel.

Level 24 organizations typically have smaller, less complex infrastructures than Level 1 organizations, and therefore are less likely to invest heavily in solutions that require on-site maintenance and IT expertise. Rather than build a proprietary solution in-house, these companies tend to deploy third-party solutions that host the payment data fields, providing secure capture and transmission of the payment data so it never enters the organizations network. In addition, the initial deployment of PCI DSS requirements was focused primarily on Level 1 organizations. Remote strategies were not readily available at that time. The Level 1 organization often invested in on-site strategies to meet the initial requirements, perhaps delaying their migration to remote strategies today.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Payment Security Management Practices

Over half of the organizations surveyed report that their call center staff has visibility to raw payment data. Similarly, of those that have face-to-face sales staff, 40% report payment data remains visible to staff. However, when segmenting by organization level, Chart 9 shows that Level 1 are less exposed to raw payment data during customer interactions than Level 24 organizations. In addition, 45% of smaller companies with call center staff are exposed to full account information.

BEST PRACTICE
Create a more secure payment environment by minimizing staff interaction with raw payment data. While exchange of payment data is necessary for call centers and customer-facing staff during the order process, payment information can be handled using a hosted payment acceptance solution that bypasses your environment (reducing PCI DSS scope), or via a separate payment interaction solution such as IVR (interactive voice response) and DTMF (dual-tone multi-frequency) that is hosted outside your environment, connecting customers directly with payment service providers.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

Payment Security Management Practices

Securing Payment Data Storage

According to the PCI DSS, those that employ on-site storage strategies must store the account information in a tokenized, encrypted or otherwise unreadable format. Today, 57% surveyed report storing their payment data on-site using either encryption or tokenization as a security measure. Another 43% of organizations reported employing a remote storage strategy (see Chart 10).

For many companies, payment data is decentralizedused by several different departments and systems, and housed in multiple databases across the organization. With payment data spread throughout, payment security can become complex. To simplify payment security management, some are centralizing their payment systems infrastructure, where sales systems and access to payment processors are tied to a central management, reporting, and administration infrastructure across all sales channels. Over two-thirds of the survey respondents reported employing a centralized platform. Another 15% reported they would be centralizing in the next two years. However, 9% of organizations still reported employing decentralized systems with no plans to change.

Level 24 are more likely to use a remote storage strategy than larger (Level 1) organizations, which currently tend to store the data on their own networks. The survey found that 43% of Level 24 organizations and 38% of Level 1 organizations use a remote strategy (see Chart 11).

BEST PRACTICE
To better manage payment data and reduce the impact of a breach, centralize your payment data and substitute primary account numbers (PAN) with payment tokens generated by a PCI-DSS certified service provider. Centralized platforms enable reduced costs and complexity of managing security across multiple sales channels, allowing operation with fewer staff and reduces, and reduces points of vulnerability. Tokenization enables elimination of data from your environment, making it unavailable to staff or hackers, yet still transact billing and returns as you normally do.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

10

Payment Security Management Practices

Back-office Payment Data Exposure

Back-office staff is also exposed to payment data during tasks such as manual review, chargeback management, account updating for billing/account-on-file, and related reconciliation tasks. Accounting and fraud review staff were reported as having the most exposure to raw payment data. Nearly a third (32%) of Level 1 organizations surveyed have raw data visible to fraud review staff, compared with 24% of Level 24 organizations (see Chart 12).

BEST PRACTICE
Reduce staff exposure to payment data by populating customer records with a payment token. Raw payment data is no longer required as tokens can be formatted to include identifying information without exposing payment data. In instances when personal data visibility and automated account data updating is required, outsource the operation to a qualified third-party.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

11

Payment Security Operations: Staffing & Compliance Management

Payment Security Staffing
Nearly all organizations reported requiring the equivalent of at least one full-time staff member to manage payment security operations. Overall, organizations using a remote strategy employed fewer full-time equivalent (FTE) payment security staff in comparison to those using an on-site strategy. Level 1 average 2.4 FTE staff while Level 24 organizations average slightly fewer, at 1.9. In addition, more Level 24 (68%) reported having fewer than three FTE staff than Level 1 (64%); possibly because larger organizations require more resources due to scope (see Chart 13). The difference in number of weeks to complete PCI DSS validation by payment security approach is likely due to the number of systems and points of contact that are seen as being in scope, and therefore requiring an audit or scan. Organizations with an on-site approach are likely to have more systems, devices, and processes in-scope than those adopting a remote approach.

Compliance and Certification

Completing PCI DSS validation in a timely manner is important to uncover any potential security issues, avoid fines, retain the ability to accept credit card payments, and reduce overall cost and overhead. The cost of PCI DSS validation is a direct function of the time required to complete the process. Chart 14 compares the number of weeks required to complete PCI DSS certification using remote and on-site strategies. Nearly all organizations (87%) with remote storage strategies were able to complete certification in less than 20 weeks. In contrast, 79% of on-site storage organizations were able to complete certification in the same time period.

BEST PRACTICE
To reduce the time and resource investment required to validate PCI DSS compliance, seek to reduce the scope of the overall audit by reducing the number of systems that must be included in the audit. Removing payment data from your environment and lowering instances in which staff interact with the data will contribute to a reduction in scope for PCI DSS requirements 1, 3, 4, and 9 (for definitions of all 12 requirements, see the Glossary).

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

12

Payment Security Operations

PCI DSS Requirement 6.6 Compliance

Security of Public-facing Web Applications
Compliance with PCI DSS requirement 6.6 (see Glossary for definition) has been of particular interest since its introduction in 2008. This requirement provides options intended to ensure that public-facing web applications are protected from common threats to cardholder data. The first option, application protocol testing, can often be onerous for a business to undertake, sometimes requiring specialized personnel to be hired. Organizations using this option likely use application penetration testing by external validation. The second option is to adopt a web application firewall approach that, similar to the first option, requires hiring and training of the proper staff. Survey results displayed in Chart 15 show that 59% use both application protocol testing and web application firewalls to meet the PCI 6.6 requirement. It is by far the most popular method, with the application protocol testing only option a distant second at 12%. Other categories included outsourcing, external scans, patch management, code audits, HIDS (host intrusion detection system) and NIDS (network intrusion detection system).

Extended Validation
An Extended Validation (EV) secure sockets layer (SSL) certification provides a more stringent validation process than the typical SSL certification, assuring customers that their data is safe with the seller during the purchase process. Certificates protect an organizations transactions with its customers by encrypting sensitive data during transmission from customer to seller, including payment card numbers. See Figure 1 for an example of EV SSL certification representation. Figure 1: EV SSL-Certified Website

Of the 30% of organizations that use EV SSL, most reported using the approach to increase consumer shopping confidence (63%). In addition, Chart 16 shows that slightly more Level 24 organizations (68%) adopted EV SSL than Level 1 organizations (63%).

BEST PRACTICE
No single point solution can provide complete security and PCI DSS validation. Ensure the highest level of payment security and compliance status by deploying multiple security controls, which also address compliance with the PCI DSS 6.6 requirement.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

13

Payment Security Costs

The cost of managing payment security varies by organization, organization level, and perceived importance of security within each environment. Understanding the impact of a payment security approach to overall payment security management costs requires an analysis of infrastructure and technology costs, as well as cost of personnel.

Infrastructure and Technology Costs

Organizations were asked about their annual spend on infrastructure and services in 2010, excluding staff. These costs include services (remote tokenization and storage, compliance auditing, etc.), encryption products/licenses (encryption generating software, encryption key storage, etc.), and systems (storage, databases, etc.) associated with management. Overall, Level 1 organizations adopting an on-site strategy spent more on infrastructure and services (Chart 17) than those using a remote strategy (Chart 18). As a comparison, 60% of those with an on-site approach spent under $0.5M as opposed to 75% of those with a remote strategy. Level 24 organizations spend on payment security management was the same regardless of whether an on-site or remote approach was utilized.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

14

Payment Security Costs

Personnel Costs
Using reported FTE and industry data for personnel costs (includes salary, benefits, training expenses, and related personnel management costs), estimates of personnel costs were derived for each strategy and organizational level. Level 1 with an on-site strategy, on average, spend nearly $1.7M annually on personnel costs compared to those using a remote strategy, which spend approximately $1.1M a difference of nearly $0.6M per year (see Chart 19). Level 24 with an on-site strategy spend, on average, a little over $1.5M versus those using a remote strategy that spend $1M annually a difference of nearly $0.5M (see Chart 19).

Total Payment Security Costs

By combining reported infrastructure costs and calculated personnel costs, the impact of payment security practices on the total cost of management can be assessed (see Chart 20).

According to the data compiled in this survey, Level 1 organizations using an on-site strategy will spend, on average, nearly 75% more per year on payment security than those organizations using a remote strategy. The same trend holds for Level 24 organizations, albeit on a smaller scale. Level 24 organizations adopting an on-site approach spend $0.3M more annually on payment security versus those adopting a remote approach.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

15

Payment Security Management Trends

Trends in Data Capture Practices
Survey results indicate that more organizations will be capturing payment data remotely over the next 24 months across all sales channels (online, call center, and POS), for both Level 1 and Level 24. The results are shown in Chart 21 and Chart 22. The largest increases are in Level 24, where online adoption jumps from 38% to 48% and POS from 21% to 32%. The trend to reduce the exposure to raw payment data can be attributed to two primary factors. First, moving payment data out of the environment reduces PCI DSS scope. Second, rendering raw payment data inaccessible to internal sources reduces the risk of payment data being stolen by employees. Both Level 1 and Level 24 organizations expect to reduce staff access to raw data in call center and face-to-face environments over the next 24 months, with Level 1 doing so at a higher rate than Level 24 (see Chart 23 and Chart 24).

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

16

Payment Security Management Trends

Trends in Data Storage Practices

More organizations are considering a move to storing payment data remotely with a PCI DSS-certified service provider (versus on-site.) Half of the organizations surveyed indicated shifting to a remote strategy over the next two years (see Chart 25). The shift to remote storage may be due to the desire to reduce the risk and impact of a security breach on the organizations brand. When analyzing results by organization level, both Level 1 and Level 24 organizations see similar gains in remote strategy adoption.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

17

Payment Security Management Trends

Trends in Back-office Practices

Organizations expect visibility of payment data in the backoffice to decline over the next two years. However, Level 1 organizations still expect to operate with higher levels of payment data visibility than their Level 24 counterparts, see Chart 26.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

18

Payment Security Management Trends

Complexity, Cost, Time & Resources

Organizations were queried about their expectations regarding the cost and complexity of managing payment security in the future. Overall, over half of the organizations said cost, complexity and resource requirements would increase (see Chart 27).

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

19

Conclusion
Despite the expectation that cost, resource requirements, and technical complexity will increase over the next 24 months, managers continue to seek ways to boost efficiency in each area. And the reason is clearinadequate protection of customer payment data can have a detrimental effect on the organizations business. The payment data management strategy deployed must help reduce complexity, resource dependency, and costs while increasing efficacy and reducing PCI DSS scope. Survey results indicate a general trend for many organizations to move towards a remote payment security strategy. While an on-site strategy is currently preferred by larger organizations, organizations using this strategy also report higher investments in systems and devices, a higher level of staffing, and longer time frames to validate compliance. Organizations using remote strategies report lower expenses in these areas and the ability to achieve PCI DSS validation in a shorter time frame.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

20

Report and Survey Methodology

The CyberSource and Trustwave Payment Security Practices and Trends Report, developed in association with the Merchant Risk Council (MRC), is based on a survey of organizations residing and trading in North America. Organizations that participated in this survey offered products or services to customers spanning the government, education, non-profit, business and consumer sectors. Most respondents were either ultimately responsible for, or had significant influence on, policy and security management decisions. The survey was conducted via online questionnaire by handl Consulting and completed by 117 participants between December 6, 2010 and January 31, 2011.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

21

Resources and Solutions

CyberSource
CyberSource payment security solutions include Payment Tokenization, Hosted Payment Acceptance, and Automated Account Updater. Eliminate Capture and Transmission Risk: Using CyberSources Hosted Payment Acceptance service, you can accept and process payment data without the data ever touching your network. Eliminate Payment Data Storage Risk: Payment tokenization gives you the ability to secure your payment data in CyberSources PCI DSS-certified datacenters, removing the use of raw payment data from your network by exchanging that data for a payment token, useless to hackers and devious employees. Reduce Back-office Risk: Format-preserving tokens make it easy for customer service and back-office staff to perform tasks without exposure to payment data. Automated account updater services automatically update billing and account-on-file records, reducing the need for staff to interact with customer payment data during updates or billing failures.

Trustwave
Trustwave is a global provider of payment security and PCI DSS compliance solutions.

Payment Security:
Trustwaves End-to-End Encryption and Tokenization solutions protect payment card data in motion and while stored to simplify security infrastructure and reduce the scope of PCI compliance.

PCI DSS Compliance:

Trustwave offers unmatched resources and experience in guiding customers through the process of PCI DSS compliance, from initial scheduling of your review to final preparation of documentation. As the global leader in PCI DSS compliance solutions and services, Trustwave offers comprehensive compliance programs for acquiring banks and ISOs, payment service providers, POS providers, and merchants of all sizes.

Comprehensive Data Security:

Trustwave offers a robust portfolio of best-in-class data security products, including: Award-winning, patented technology, including encryption, data lost prevention, network access control, application security, security information and event management Managed security services to reduce the management burden of a comprehensive data security program Industry-leading security research and expertise from Trustwaves SpiderLabs

CyberSource Payment Management Solutions

Global Payment ServicesSell anywhere in the world by accepting the payment types preferred in local markets. Transact in over 190 countries and fund in 21 currencies. Worldwide and country bank cards, PIN-less debit, debit cards, bank transfers, direct debits, Bill Me Later, PayPal, subscription/recurring billing, real-time global tax calculation, and dynamic currency conversion.

Fraud ManagementClose your threat window while keeping good customers happy. When faced with multiple ongoing and changing fraud threats, the ability to quickly detect and deter these attacks without impacting your customers has a direct bearing on your bottom line. CyberSource Decision Manager provides automated fraud screening, rule console, case management system and analytics.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

22

Resources and Solutions

Additional Sources
Stock prices, Yahoo! Finance, www.finance.yahoo.com ComputerWorld, One Year Later: Five Takeaways From the TJX Breach. January 17, 2008. Vijayan, Jaikumar CyberSource, Enterprise Payment Security 2.0. 2011. Glaser, David CyberSource, A Managers Guide to Comparing the Cost of Payment Security Strategies. 2010. Anderson, Lisa, and Huang, Yu-Ting CyberSource, CyberSource Enterprise Payment Security Solutions. 2009 Trustwave, Payment Card Trends and Risks for Small Merchants: A Supplement to Trustwaves 2011 Global Security Report. 2011. Trustwave, 2011 Global Security Report. 2011.

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

23

Resources and Solutions

Glossary of Terms
On-site strategy: Payment data is managed and secured during capture, transmission, and storage using your own staff, systems and infrastructure that could be owned, leased, or licensed by your company. Remote strategy: One or more service providers manage payment data security on your behalf. This could include technologies such as hosted payment tokenization or end-point encryption with remote data storage, and hosted payment acceptance where the cardholder data is captured directly by the payment network via a hosted order page or interactive voice response system. Payment data: Data that facilitates the payment transaction process. Includes credit or debit card numbers, name, address, and telephone number. Organization Level, as defined by the PCI Security Standards Council Level 1: Merchants processing over 6 million transactions annually across all channels. Level 2 - 4: Merchants processing less than 6 million transactions annually across all channels. Tokenization: Replacement of sensitive data with a unique identifier that cannot be mathematically reversed.

Glossary of Terms
Encryption: Conversion of data into a form that cannot be easily understood by unauthorized personnel. Requires a key to decode the data. Hosted Payment Acceptance: A PCI DSS-certified third party hosts the payment data fields displayed on your website, then captures, transmits, and stores that data outside your network. Payment Service Provider: Entity that offers organizations online services for accepting electronic payments through a variety of payment methods including credit card, bank-based payments, and online banking. PCI DSS Requirement 6.6: For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least manually and after any changes Installing a web-application firewall in front of publicfacing web applications PCI DSS Requirements: See Chart 31

Payment Security Practices and Trends Report 2011

2011 CyberSource, a Visa company. All rights reserved.

24

About CyberSource
CyberSource, a wholly-owned subsidiary of Visa Inc., is a payment management company. Over 330,000 businesses worldwide use CyberSource and Authorize.Net brand solutions to process online payments, streamline fraud management, and simplify payment security. The company is headquartered in Mountain View, California with international offices in Reading, U.K.; Singapore; Tokyo; and Middle East. CyberSource operates in Europe under agreement with Visa Europe. For more information, please visit www.cybersource.com or email info@cybersource.com.

CyberSource North America

CyberSource Corporation HQ Phone: 650.965.6000 Fax: 650.625.9145 Email: info@cybersource.com

CyberSource Europe
CyberSource Ltd Phone: +44 (0) 118 929 4840 Fax: +44 (0) 870 460 1931 Email: uk@cybersource.com

CyberSource Japan
CyberSource KK (Japan) Phone: +81-3-5774-7733 Fax: +81-3-5774-7732 Email: mail@cybersource.co.jp

For More Information

Call 1.888.330.2300 Email info@cybersource.com Visit www.cybersource.com

CyberSource Asia Pacific

CYBS Singapore Pte Ltd T: +65 6499 2000 F: +65 6437 5879 Email: asia@cybersource.com

About Trustwave
Trustwave is a global provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with todays challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions including SIEM, EV SSL certificates and solutions including WAF, NAC, SIEM and EV SSL certificates. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https:// www.trustwave.com.

Trustwave North America

Trustwave Corporate HQ 70 West Madison Street, Suite 1050 Chicago, IL 60602 Phone: 312.873.7500 Fax: 312.443.8028 Email: info@trustwave.com

Trustwave European Headquarters

Westminster Tower 8th floor 3 Albert Embankment London SE1 7SP Phone: +44 (0) 845 456 9611 Fax: +44 (0) 845 456 9612 info@trustwave.com

Trustwave Asia-Pacific Headquarters

Level 26 44 Market Street Sydney NSW 2000 Australia Phone: +61 2 9089 8870 Fax: +61 2 9089 8989

For More Information

Call 1.888.878.7817 Email info@trustwave.com Visit www.trustwave.com

Trustwave Latin America Headquarters

Rua Cincinato Braga, 340 n 71 Edificio Delta Plaza Bairro Bela Vista So Paulo SP CEP: 01333-010 BRASIL Phone: +55 (11) 4064-6101