SlideShare una empresa de Scribd logo

Protecting Payment Card Data Wp091010

E
Erik Ginalick
1 de 4
Descargar para leer sin conexión
PRoteCtiNg PAymeNt CARd dAtA Considerations for Achieving and Maintaining On-Going PCI DSS Compliance ExEcutivE OvErviEw Businesses managing payment card data face tremendous security challenges. The cost of a security breach can be devastating in terms of lost revenue, legal costs and damaged reputation. In fact, the payment card brands may even stop a business from processing credit card and debit card payments from customers. The Payment Card Industry Data Security Standard (PCI DSS) provides a blueprint for building and maintaining a secure data network; however implementing the policies, people, processes and technologies to achieve and maintain PCI compliance can Compliance and security be overwhelming. This paper provides some background about PCI don’t stand alone—they are DSS and its effectiveness, and explains how enlisting experts to help intertwined. It is a cycle that we execute your strategy can be the best way to achieve and maintain loop through, and every time we on-going compliance. do, we get better at it. David Mahon, Vice President Myriad challEngEs can iMpEdE cOMpliancE plans of Information Security, Qwest Developed by founding payment brands of the PCI Security Standards Council, the PCI Data Security Standard strives to ensure payment account data security with a comprehensive set of requirements for IT and network departments to follow. If you are a merchant or service provider and accept payment credit cards, you must validate PCI compliance at least annually. According to Fred Kost, Director of Security Solutions Marketing at Cisco Systems, the PCI standard has been successful because of its unified approach. “It’s a global standard that applies to a lot of industries and covers diverse requirements of various companies, from the very large to the very small,” he said. But a myriad of challenges thwart best efforts of many companies attempting to achieve PCI compliance. One reason is that deploying policies and controls across an organization takes time, during which threats and methods within the hacker community change. “The hacking community gets smarter all the time, and we’re seeing the evolution of the PCI standard to address new threats,” said Cisco’s Kost. Furthermore, merchants eager to stay competitive by deploying new technologies may not take enough time to ensure that adequate security policies and procedures are always enforced, resulting in vulnerabilities. As a result, merchants struggle with how to not only pass the PCI audit but maintain on-going compliance without over-taxing budgets and corporate resources. More changes ensue as PCI DSS is periodically revised to fit new purchasing scenarios—ecommerce transactions, or transactions that occur when the customer hands his credit card to a retail clerk at the counter are only part of the data security dilemma. Advances in mobile devices and other technologies have given rise to new payment options. Pen-entry and other new interactive devices, pay-at-pump systems and card swipe capture devices used in smaller stores and kiosks all present a risk. “As IT professionals, we need to think more broadly about how customer data is accessed, touched, changed and moved,” said Kost. Ensuring your compliance strategy is up to date with new requirements means you must revisit your strategy often and make the necessary changes. “You have to have the processes and policies in place and be willing to modify them based on changing requirements,” said Kost. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 1 All marks are the property of the respective company. April 2009
FlExibility within pci standard allOws FOr custOMizatiOn PCI is broad—it offers a single set of guidelines to be applied to all sorts of retailers—both large and small—because it must cover the issues faced by an incredibly diverse group of companies. For example, a large global retailer with a complex data center will have different requirements than the small doctor’s office with a server under the receptionist’s desk. “The credit card is a ubiquitous form of payment, cutting across all different forms of transaction types and organizations—from the local grocery store to global ecommerce retailer,” said Kost. Although PCI provides a blueprint for best practices, the standard provides the flexibility for each IT department to best execute those practices to suit their particular business needs. For example, requirements 7–9 address the process of restricting user access to data, however the parameters for those restrictions are not specified, and the methods for enforcing those restrictions are up to IT staff. Outsourcing the task of PCI compliance to a trusted partner can help organizations adapt to changes that impede compliance and capitalize on the flexibility within PCI to implement best practices in a way that maximizes the operational and security benefits. “Partnering with the right kind of organization can make a big difference in making your compliance process more efficient and improving security now and into the future.” what is pci dss? The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to help organizations proactively protect customer account data. Source: PCI Security Standards Council Figure 1. the PCi Security Standards Council’s 12 requirements target key potential weaknesses in complex data networks Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Requirement 5 Use and regularly update anti-virus software Program Requirement 6 Develop and maintain secure systems and applications Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 2 All marks are the property of the respective company. April 2009
Implement Strong Access Control Requirement 7 Restrict access to cardholder data by business need-to- Measures know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security it takEs pEOplE, prOcEssEs, pOliciEs and tOOls To overcome these challenges and achieve PCI compliance now and on an ongoing basis, you must have the people, processes, policies and tools in place to address the requirements that pertain to your business. This is a big commitment. Building and maintaining the right teams and processes can be much more difficult than implementing the technology. In many businesses, IT security skills are scarce. Companies face budgetary and retention issues, and may lack resources for training personnel on compliance procedures. Partnering with a PCI certified provider is often the best way to accomplish PCI compliance goals. “PCI-certified providers are service providers that have done the hard work of going through the PCI audit process for products and services,” said Kost. “ Cisco, for example, provides reference architectures for PCI compliance that put together the various pieces of a compliance solution, so you don’t have to worry about it.” Other providers, such as Qwest, provide the services that compliment the architecture, allowing IT departments to hand off those tasks that cannot be performed efficiently in-house. Many providers will offer testing in simulated retail environments, with POS terminals, wireless devices and Internet connections. They may also provide configuration monitoring and authentication management services. PCI audit and remediation partners offer audit review, to ensure you have the pieces in place to pass your compliance audit. But compliance doesn’t end with the audit. PCI assessments are point-in-time audits; many companies struggle to enforce the processes and policies to maintain compliance on an on-going basis. As a result, breaches can still occur, even after a company passes its audit. And the effects of a breach are devastating. Forrester Research estimates that the cost of a security breach to the company who suffers it may amount to anywhere between $90 and $305 a record—one significant breach could cost an organization millions of dollars.1 “What you have to keep in mind is that you’re not implementing security controls on a one-time basis,” said David Mahon, Vice President of Information Security at Qwest, who offers PCI certified products and services to help companies achieve PCI compliance. “You have to have processes in place to maintain a secure system after the audit, as well.” Enlist thE ExpErts tO Maintain cOMpliancE Becoming PCI compliant is a huge challenge and it is not a static one. Companies must be able to maintain compliance by integrating the necessary policies and procedures into their daily business operations. This can be challenging and time consuming. Enlisting a PCI certified partner can help you build and sustain an effective long-term compliance strategy, and maximize internal resources and expenses. Hosted services and reference architectures can ease the burden and simplify your ongoing PCI compliance program. 1 Top Unified Communications Predictions For 2008, by Henry Dewing with Ellen Daley and April Lawson, February 20, 2008. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 3 All marks are the property of the respective company. April 2009
Your best bet? Look to partners with compliance experts that can help you organize the technologies, policies and processes to satisfy the PCI requirements that pertain to your business and protect against new threats by keeping pace with changing requirements. And remember, it is an ongoing process. According to Mahon, “Compliance and security don’t stand alone—they are intertwined. It is a cycle that we loop through, and every time we do, we get better at it.” CoNNeCt. SimPliFy. eNhANCe. ® with Qwest Business Solutions® Qwest is focused on helping you work smarter, with services that leverage the latest technology and award-winning support. Here are a few solutions that can address the issues covered in this solutions brief: hosted ivr. A highly customizable, network hosted interactive voice response (IVR) solution that enables full-featured caller self service, caller prompting functionality, call recording and detailed caller data and call flow reporting. Hosted IVR can be used stand-alone or integrated with existing contact management equipment. Q routing®. A network-hosted intelligent, inbound and outbound, multi-media contact routing solution that enables virtual agent pools, call recording, skills-based routing for voice, email and web chat. The application includes powerful agent, admin and supervisor desktop tools and cradle to grave reporting. Q Routing can be used stand alone or integrated with existing contact management equipment. Managed backup and storage. Qwest’s fully-managed, flexible portfolio of state-of-the-art storage and backup products and services includes a managed dedicated storage solution, utility solution on a pay-for-what-you-use (utility) basis, point-in- time copy service, and a variety of backup solutions. Managed Firewall-vpn. Managed Firewall-VPN Service is a management platform that integrates third party firewall products with Qwest monitoring, management, and administration capabilities. cybercenter colocation. Qwest provides a full range of CyberCenter collocation services to meet any business need. Each CyberCenter facility is connected to Qwests OC192 backbone, offering customers a fully redundant solution to ensure that critical data needs are met. why QwEst Qwest delivers reliable, scalable data and voice networking solutions, across one of the largest U.S. fiber footprints. Qwest serves businesses of all sizes, ranging from small business to 95 percent of Fortune 500 companies, with industry- leading SLAs and world-class customer service. lEarn MOrE For more information about Qwest voice and data services for large businesses, visit www.qwest.com/business or call (877) 816-8553 to speak to a Qwest representative. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 4 All marks are the property of the respective company. April 2009

Recomendados

Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
Apani Enterprise Security Software
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
IJERA Editor
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dss
Vikrant Burbure
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
Liberteks
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
Citrix
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
Edward Lam
 

Recomendados

Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
Apani Enterprise Security Software
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
IJERA Editor
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dss
Vikrant Burbure
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
PCI Compliance for Dummies
PCI Compliance for DummiesPCI Compliance for Dummies
PCI Compliance for Dummies
Liberteks
 
PCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application SecurityPCI DSS Success: Achieve Compliance and Increase Web Application Security
PCI DSS Success: Achieve Compliance and Increase Web Application Security
Citrix
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
Edward Lam
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1
leon bonilla
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
Victor Oluwajuwon Badejo
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...
Ulf Mattsson
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
hodonoghue
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
InMobi Technology
 
Pcidss
PcidssPcidss
Pcidss
yazsapa
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Olivia Grey
 
Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration Testing
IT Governance Ltd
 
Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504
Erik Ginalick
 
Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047
Erik Ginalick
 

Más contenido relacionado

La actualidad más candente

An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
webhostingguy
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
John Baines
 
Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration Testing
IT Governance Ltd
 

La actualidad más candente (20)

1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certification
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
Pcidss
PcidssPcidss
Pcidss
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration Testing
 

Destacado

Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504
Erik Ginalick
 
Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047
Erik Ginalick
 
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Erik Ginalick
 
Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305
Erik Ginalick
 
Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305
Erik Ginalick
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
Erik Ginalick
 
Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993
Erik Ginalick
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366
Erik Ginalick
 
Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863
Erik Ginalick
 

Destacado (13)

Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504Ipv6 Technical White Paper Wp111504
Ipv6 Technical White Paper Wp111504
 
Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047Unleashing The Power Of Customer Data Wp091047
Unleashing The Power Of Customer Data Wp091047
 
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
 
Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305
 
Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305Is Cloud Computing Right For You Wp101305
Is Cloud Computing Right For You Wp101305
 
Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112Five Network Security Threats And How To Protect Your Business Wp101112
Five Network Security Threats And How To Protect Your Business Wp101112
 
Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993Optimizing Your Communications In A Recession Wp090993
Optimizing Your Communications In A Recession Wp090993
 
Foto Reportaje Cactáceas
Foto Reportaje CactáceasFoto Reportaje Cactáceas
Foto Reportaje Cactáceas
 
Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366Reaching For The Cloud Wp101366
Reaching For The Cloud Wp101366
 
Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863Qmoe For Public Sector Wp090863
Qmoe For Public Sector Wp090863
 
Reunión Docente 2016/B
Reunión Docente 2016/BReunión Docente 2016/B
Reunión Docente 2016/B
 
Presentación: Reunión Docente Lapso 2016/A
Presentación: Reunión Docente Lapso 2016/APresentación: Reunión Docente Lapso 2016/A
Presentación: Reunión Docente Lapso 2016/A
 
Escuela de Derecho de la Universidad Fermín Toro
Escuela de Derecho de la Universidad Fermín ToroEscuela de Derecho de la Universidad Fermín Toro
Escuela de Derecho de la Universidad Fermín Toro
 

Similar a Protecting Payment Card Data Wp091010

PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
Edwin_Bos
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
gaborvodics
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Jason Dover
 

Similar a Protecting Payment Card Data Wp091010 (20)

PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012Data Power For Pci Webinar Aug 2012
Data Power For Pci Webinar Aug 2012
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
The Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White PaperThe Smart Approach To Pci DSS Compliance – Braintree White Paper
The Smart Approach To Pci DSS Compliance – Braintree White Paper
 
Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016Cyber Security 4.0 conference 30 November 2016
Cyber Security 4.0 conference 30 November 2016
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 

Más de Erik Ginalick

Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005
Erik Ginalick
 
Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862
Erik Ginalick
 
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Erik Ginalick
 
The Worry Free Network Wp091050
The Worry Free Network Wp091050The Worry Free Network Wp091050
The Worry Free Network Wp091050
Erik Ginalick
 
Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860
Erik Ginalick
 
Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861
Erik Ginalick
 
Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438
Erik Ginalick
 
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Erik Ginalick
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
Plan For Success White Paper
Plan For Success White PaperPlan For Success White Paper
Plan For Success White Paper
Erik Ginalick
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504
Erik Ginalick
 
Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974
Erik Ginalick
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118
Erik Ginalick
 
Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455
Erik Ginalick
 
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Erik Ginalick
 
Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198
Erik Ginalick
 
Why CenturyLink Savvis Cloud Leader
Why CenturyLink Savvis Cloud LeaderWhy CenturyLink Savvis Cloud Leader
Why CenturyLink Savvis Cloud Leader
Erik Ginalick
 

Más de Erik Ginalick (18)

Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005Understand Benefits Of Electronic Health Records Wp091005
Understand Benefits Of Electronic Health Records Wp091005
 
Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862Qmoe For Manufacturing Wp090862
Qmoe For Manufacturing Wp090862
 
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
Sip Trunk Services The Cornerstone Of Unified Communications Wp101194
 
The Worry Free Network Wp091050
The Worry Free Network Wp091050The Worry Free Network Wp091050
The Worry Free Network Wp091050
 
Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860Qmoe For Financial Services Wp090860
Qmoe For Financial Services Wp090860
 
Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861Qmoe For Healthcare Wp090861
Qmoe For Healthcare Wp090861
 
Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438Planning For Disaster And Everyday Threats Wp111438
Planning For Disaster And Everyday Threats Wp111438
 
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
Mpls Future Proofing Enterprise Networks For Long Term Success Wp101094
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
Plan For Success White Paper
Plan For Success White PaperPlan For Success White Paper
Plan For Success White Paper
 
Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504Ipv Technical White Paper Wp111504
Ipv Technical White Paper Wp111504
 
Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974Infrastructures For Innovation Wp090974
Infrastructures For Innovation Wp090974
 
Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118Healthcare It Security Necessity Wp101118
Healthcare It Security Necessity Wp101118
 
Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455Finding The Right Cloud Solution Wp111455
Finding The Right Cloud Solution Wp111455
 
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
Electronic Health Records Protecting Assets With A Solid Security Plan Wp101207
 
Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198Closing The Clinical It Chasm Wp101198
Closing The Clinical It Chasm Wp101198
 
Acronyms
AcronymsAcronyms
Acronyms
 
Why CenturyLink Savvis Cloud Leader
Why CenturyLink Savvis Cloud LeaderWhy CenturyLink Savvis Cloud Leader
Why CenturyLink Savvis Cloud Leader
 

Protecting Payment Card Data Wp091010

  • 1. PRoteCtiNg PAymeNt CARd dAtA Considerations for Achieving and Maintaining On-Going PCI DSS Compliance ExEcutivE OvErviEw Businesses managing payment card data face tremendous security challenges. The cost of a security breach can be devastating in terms of lost revenue, legal costs and damaged reputation. In fact, the payment card brands may even stop a business from processing credit card and debit card payments from customers. The Payment Card Industry Data Security Standard (PCI DSS) provides a blueprint for building and maintaining a secure data network; however implementing the policies, people, processes and technologies to achieve and maintain PCI compliance can Compliance and security be overwhelming. This paper provides some background about PCI don’t stand alone—they are DSS and its effectiveness, and explains how enlisting experts to help intertwined. It is a cycle that we execute your strategy can be the best way to achieve and maintain loop through, and every time we on-going compliance. do, we get better at it. David Mahon, Vice President Myriad challEngEs can iMpEdE cOMpliancE plans of Information Security, Qwest Developed by founding payment brands of the PCI Security Standards Council, the PCI Data Security Standard strives to ensure payment account data security with a comprehensive set of requirements for IT and network departments to follow. If you are a merchant or service provider and accept payment credit cards, you must validate PCI compliance at least annually. According to Fred Kost, Director of Security Solutions Marketing at Cisco Systems, the PCI standard has been successful because of its unified approach. “It’s a global standard that applies to a lot of industries and covers diverse requirements of various companies, from the very large to the very small,” he said. But a myriad of challenges thwart best efforts of many companies attempting to achieve PCI compliance. One reason is that deploying policies and controls across an organization takes time, during which threats and methods within the hacker community change. “The hacking community gets smarter all the time, and we’re seeing the evolution of the PCI standard to address new threats,” said Cisco’s Kost. Furthermore, merchants eager to stay competitive by deploying new technologies may not take enough time to ensure that adequate security policies and procedures are always enforced, resulting in vulnerabilities. As a result, merchants struggle with how to not only pass the PCI audit but maintain on-going compliance without over-taxing budgets and corporate resources. More changes ensue as PCI DSS is periodically revised to fit new purchasing scenarios—ecommerce transactions, or transactions that occur when the customer hands his credit card to a retail clerk at the counter are only part of the data security dilemma. Advances in mobile devices and other technologies have given rise to new payment options. Pen-entry and other new interactive devices, pay-at-pump systems and card swipe capture devices used in smaller stores and kiosks all present a risk. “As IT professionals, we need to think more broadly about how customer data is accessed, touched, changed and moved,” said Kost. Ensuring your compliance strategy is up to date with new requirements means you must revisit your strategy often and make the necessary changes. “You have to have the processes and policies in place and be willing to modify them based on changing requirements,” said Kost. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 1 All marks are the property of the respective company. April 2009
  • 2. FlExibility within pci standard allOws FOr custOMizatiOn PCI is broad—it offers a single set of guidelines to be applied to all sorts of retailers—both large and small—because it must cover the issues faced by an incredibly diverse group of companies. For example, a large global retailer with a complex data center will have different requirements than the small doctor’s office with a server under the receptionist’s desk. “The credit card is a ubiquitous form of payment, cutting across all different forms of transaction types and organizations—from the local grocery store to global ecommerce retailer,” said Kost. Although PCI provides a blueprint for best practices, the standard provides the flexibility for each IT department to best execute those practices to suit their particular business needs. For example, requirements 7–9 address the process of restricting user access to data, however the parameters for those restrictions are not specified, and the methods for enforcing those restrictions are up to IT staff. Outsourcing the task of PCI compliance to a trusted partner can help organizations adapt to changes that impede compliance and capitalize on the flexibility within PCI to implement best practices in a way that maximizes the operational and security benefits. “Partnering with the right kind of organization can make a big difference in making your compliance process more efficient and improving security now and into the future.” what is pci dss? The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to help organizations proactively protect customer account data. Source: PCI Security Standards Council Figure 1. the PCi Security Standards Council’s 12 requirements target key potential weaknesses in complex data networks Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3 Protect stored cardholder data Requirement 4 Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Requirement 5 Use and regularly update anti-virus software Program Requirement 6 Develop and maintain secure systems and applications Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 2 All marks are the property of the respective company. April 2009
  • 3. Implement Strong Access Control Requirement 7 Restrict access to cardholder data by business need-to- Measures know Requirement 8 Assign a unique ID to each person with computer access Requirement 9 Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data Requirement 11 Regularly test security systems and processes Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security it takEs pEOplE, prOcEssEs, pOliciEs and tOOls To overcome these challenges and achieve PCI compliance now and on an ongoing basis, you must have the people, processes, policies and tools in place to address the requirements that pertain to your business. This is a big commitment. Building and maintaining the right teams and processes can be much more difficult than implementing the technology. In many businesses, IT security skills are scarce. Companies face budgetary and retention issues, and may lack resources for training personnel on compliance procedures. Partnering with a PCI certified provider is often the best way to accomplish PCI compliance goals. “PCI-certified providers are service providers that have done the hard work of going through the PCI audit process for products and services,” said Kost. “ Cisco, for example, provides reference architectures for PCI compliance that put together the various pieces of a compliance solution, so you don’t have to worry about it.” Other providers, such as Qwest, provide the services that compliment the architecture, allowing IT departments to hand off those tasks that cannot be performed efficiently in-house. Many providers will offer testing in simulated retail environments, with POS terminals, wireless devices and Internet connections. They may also provide configuration monitoring and authentication management services. PCI audit and remediation partners offer audit review, to ensure you have the pieces in place to pass your compliance audit. But compliance doesn’t end with the audit. PCI assessments are point-in-time audits; many companies struggle to enforce the processes and policies to maintain compliance on an on-going basis. As a result, breaches can still occur, even after a company passes its audit. And the effects of a breach are devastating. Forrester Research estimates that the cost of a security breach to the company who suffers it may amount to anywhere between $90 and $305 a record—one significant breach could cost an organization millions of dollars.1 “What you have to keep in mind is that you’re not implementing security controls on a one-time basis,” said David Mahon, Vice President of Information Security at Qwest, who offers PCI certified products and services to help companies achieve PCI compliance. “You have to have processes in place to maintain a secure system after the audit, as well.” Enlist thE ExpErts tO Maintain cOMpliancE Becoming PCI compliant is a huge challenge and it is not a static one. Companies must be able to maintain compliance by integrating the necessary policies and procedures into their daily business operations. This can be challenging and time consuming. Enlisting a PCI certified partner can help you build and sustain an effective long-term compliance strategy, and maximize internal resources and expenses. Hosted services and reference architectures can ease the burden and simplify your ongoing PCI compliance program. 1 Top Unified Communications Predictions For 2008, by Henry Dewing with Ellen Daley and April Lawson, February 20, 2008. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 3 All marks are the property of the respective company. April 2009
  • 4. Your best bet? Look to partners with compliance experts that can help you organize the technologies, policies and processes to satisfy the PCI requirements that pertain to your business and protect against new threats by keeping pace with changing requirements. And remember, it is an ongoing process. According to Mahon, “Compliance and security don’t stand alone—they are intertwined. It is a cycle that we loop through, and every time we do, we get better at it.” CoNNeCt. SimPliFy. eNhANCe. ® with Qwest Business Solutions® Qwest is focused on helping you work smarter, with services that leverage the latest technology and award-winning support. Here are a few solutions that can address the issues covered in this solutions brief: hosted ivr. A highly customizable, network hosted interactive voice response (IVR) solution that enables full-featured caller self service, caller prompting functionality, call recording and detailed caller data and call flow reporting. Hosted IVR can be used stand-alone or integrated with existing contact management equipment. Q routing®. A network-hosted intelligent, inbound and outbound, multi-media contact routing solution that enables virtual agent pools, call recording, skills-based routing for voice, email and web chat. The application includes powerful agent, admin and supervisor desktop tools and cradle to grave reporting. Q Routing can be used stand alone or integrated with existing contact management equipment. Managed backup and storage. Qwest’s fully-managed, flexible portfolio of state-of-the-art storage and backup products and services includes a managed dedicated storage solution, utility solution on a pay-for-what-you-use (utility) basis, point-in- time copy service, and a variety of backup solutions. Managed Firewall-vpn. Managed Firewall-VPN Service is a management platform that integrates third party firewall products with Qwest monitoring, management, and administration capabilities. cybercenter colocation. Qwest provides a full range of CyberCenter collocation services to meet any business need. Each CyberCenter facility is connected to Qwests OC192 backbone, offering customers a fully redundant solution to ensure that critical data needs are met. why QwEst Qwest delivers reliable, scalable data and voice networking solutions, across one of the largest U.S. fiber footprints. Qwest serves businesses of all sizes, ranging from small business to 95 percent of Fortune 500 companies, with industry- leading SLAs and world-class customer service. lEarn MOrE For more information about Qwest voice and data services for large businesses, visit www.qwest.com/business or call (877) 816-8553 to speak to a Qwest representative. Copyright © 2009 Qwest. All Rights Reserved. Not to be distributed or reproduced by anyone other than Qwest entities. 4 All marks are the property of the respective company. April 2009