Visit www.E3Secure.com by Heartland Payments System to Learn more about protecting your business

16. Level 1 – Large Retail Merchants Validation Action Validated By Due Date Annual On-site PCI Data Security Assessment Qualified Data Security Company of Internal Audit if signed by Office of the Company 9/30/2004 Quarterly Network Scan Qualified Independent Scan Vendor New Level 1 merchants have up to one year from identification to validate

18. Level 2 - Mid/Large Merchants Validation Action Validated By Due Date Annual On-site PCI Self-Assessment Questionnaire Merchant Current Quarterly Network Scan Qualified Independent Scan Vendor New Level 2 merchants: 9/30/2007

20. Level 3 – Mid/Low Merchants Validation Action Validated By Due Date Annual On-site Self-Assessment Questionnaire Merchant Current Quarterly Network Scan Qualified Independent Scan Vendor 6/30/2005

22. Level 4* - Small Merchants *The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants. Validation Action Validated By Due Date Annual On-site PCI Self-Assessment Questionnaire Merchant Current Quarterly Network Scan Qualified Independent Scan Vendor Validation requirements and dates are determined by the merchant’s acquirer

35. Case Study: The POS System Attacker Retail Store Processor Corporate Internet

36. Compromise Statistics: Industry SpiderLabs data is gathered from more than 140 card compromise cases. Food Service Industry represents the majority of the compromises. Cases By Industry

37. Compromise Statistics: Acceptance Cases by Card Acceptance About 4 out of every 5 cases is a traditional Brick and Mortar environment. Card Present Merchants are not aware of these risks!

38. Compromise Statistics: System Type Majority of the cases involved a compromise of a Software based POS system. None of these systems were Visa PABP or PCI DSS compliant. Cases By System Type

39. Compromise Statistics: Connectivity All Internet connectivity should be considered high risk. SpiderLabs has tracked a trend in migration from T1 and Dial-Up to DSL/Cable. Cases By Connectivity

40. Compromise Statistics: Error Merchant Error vs. 3rd Party Error Half of the compromises were caused by a fault in the service provided by a 3rd party to a Merchant . POS Developers, Integrators, IT Firms are not following PCI DSS and leaving Merchants at Risk!

41. Compromise Statistics: Track Data Track Data storage is never permitted in any environment post authorization. Non-Compliant software packages are storing Track Data and the Merchants did not know until it was too late! Brick and Mortar Cases w/ Track Data Storage

42. Compromise Statistics: PCI DSS Violations Most Common “Not In-Place” Requirement 1: Install and maintain a firewall to protect data Requirement 3: Protect stored data Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor all access to network and card data Requirement 11: Regularly test security systems and processes

44. Compromise Statistics: Riskiest Merchant Profile of the Merchant w/ Greatest Compromise Potential Industry: Food Service Payment Acceptance: Card Present System Type: Non-Compliant Software POS Connectivity: DSL or Cable Modem