TechMedix PCI DSS Product Overview
TechMedix Technologies will provide the product set listed below to any merchant who processes credit cards. It should be noted that we provide considerably more than security associated with PCI compliance, though security is the core of our business. There are two product sets, one appropriate for Self‐Assessment Questionnaire (SAQ) Level A and B merchants who do not process credit cards over the internet, and a second appropriate for those merchants that process credit cards over the internet and must meet the strict security standards as defined in the PCI‐DSS version 1.2 specifications (attached below).
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1‐2.pdf
The PCI DSS (Payment Card Industry Data Security Standard), commonly referred to as PCI, has 261 requirements for merchants who are required to complete the Self‐Assessment Questionnaire D (SAQD). Many of these requirements are difficult to implement for level 1 merchants with large IT staffs, making it virtually impossible for level 4 merchants with limited or no IT staff. This overview does not go into the specifics of each requirement, but it does discuss the components of our solution. We would be happy to participate in a teleconference, webinar, or on‐site meeting to go into the solution at a much more detailed technical level.
Product Set for Level SAQ A and B Merchants
TechMedix has determined that the market for the Level A and Level B merchants required a different PCI‐DSS product set than that required for a Level C and D merchant. Level A and B merchants process credit cards with a dedicated terminal typically connected directly to the processor via a phone line. The services associated with level A and B merchants are indicated below, though these services also will be an integral part of our services to level C and D merchants; that is, we offer a subset of our offering to the Level A and B merchants with a corresponding price reduction. These TechMedix SAQ Level A and B merchant services include:
A. Online PCI Self‐Assessment Questionnaires (required for all merchants) complete with “Ask Brad” multimedia videos to explain the questions and possible responses in plain English. This automates the self‐assessment process and provides TechMedix the data necessary to generate reports for ISOs and Merchant banks as required by the credit card companies.
B. PCI Compliance Binder provides on off‐site online storage vehicle for the merchants PCI security documents including a history of all PCI questionnaires and other PCI‐ related information for use by the merchant and credit card companies in the event of a breach. As an example, the binder would contain a complete log history of the past 12 months (required for level D merchants only) or history of employee credit card training required for all merchants.
C. PCI Education and Task Scheduler for On Going Maintenance complete with videos explaining PCI DSS and why it is necessary. It also includes a task manager and scheduler to assist management to determine what on going items are necessary to continue their PCI compliance.
D. TechMedix TrustVaultTM Certificate which includes $50,000 coverage in the event of a security breach (physical or cyber). Level A and B merchants should find this “insurance” for a physical breach quite valuable. Level C and D merchants will be covered for both physical and cyber breaches.
E. TechMedix Technical Representation in the event of a breach. TechMedix will provide technically knowledgeable PCI experts (TechMedix Staff) on site as the technical representative of the merchant during a VISA or Secret Service (or other credit card company) forensic audit.
Product Set for SAQ Level C and D Merchants
The following feature set is provided to merchants throughout North America that process credit cards over the internet with a POS system or dedicated internet based terminal. While we provide everything necessary for a Level C and D merchant to be PCI compliant, we also provide merchants with services they find beneficial that reach beyond what is required by PCI. These additional features can save the merchant significant costs (e.g., automatic failover of broadband connection to dial‐up upon broadband interruption) and provide the merchant with additional revenue (e.g., driving more customers to the establishment through TechMedix HotSpot Plus™), thereby offsetting the cost of PCI compliance. Please note that the total feature set for Level C and D merchants includes the features listed above for Level A and B merchants.
A. PCI Compliant Network
(1) Includes Juniper firewall and 24 x 7 monitoring for security intrusions, broadband failures and networking issues. We allow only data transfer to pre‐authorized sites, preventing breaches such as the ones that occurred at TJ Maxx through the use of Sniffer Programs and other spyware or malware. See attached WSJ article.
http://online.wsj.com/article/SB121795870823713875.html?mod=DRE
(2) Highly secure wired and wireless networks. We provide the highest levels of encryption (WAP2) and set up the wireless networks for internal and external use. This can include a wireless hotspot with the hotspot configured to be on a different network segment so that access by “hackers” to the merchant network is eliminated while still allowing the convenience of hotspot Internet access while securely “sharing” of the cost of a single broadband connection. We can throttle the hotspot to assure the merchant bandwidth needs. We have found that many of our customers, prior to contracting for our services, had a wireless hotspot where the merchant simply attached a Linksys wireless router onto its network, thereby creating a significant security vulnerability to its internal credit card processing network. Attached is an article explaining how a wireless network was hacked at a gas station and thousands of credit cards stolen.
http://biometricpayments.blogspot.com/2007_06_01_archive.html
B. PCI Compliant Data Access
(1) Protects sensitive data from external threats.
(2) Includes logging of all system accesses (all logins, whether local or remote, and the keeping of the logs off site for one year). TechMedix logs all “major system changes as required by PCI‐DSS version 1.2. We have developed the technology to do this efficiently and maintain all of the logs offsite (our data center) as required by the PCI standard. This is a complex task that large Level One retailers have problems implementing. We have implemented a system that can provide this service to even the smallest establishment, allowing any merchant to fulfill its PCI‐compliance requirements.
C. PCI Compliant Policies and Procedures. We provide all the necessary policies and procedures for the merchant to follow to be PCI compliant, including changing passwords every 90 days, securing (behind locked door) credit card servers, etc. TechMedix also provides on‐line training for PCI policies and procedures. Training is specific to SAQ levels, that is, training for a level A merchant with a terminal is quite different from that of a Level D merchant with an integrated Point of Sales (POS) system that stores credit card data on‐site.
D. PCI Compliant Port Scans. TechMedix provides a port‐scanning service providing a “one‐stop shop” for PCI compliance for SAQ Level C and D merchants that have POS systems and merchants with terminals processing over the internet.
E. PCI Compliance Audits. Similar to PCI port scans, TechMedix will work with a third party to provide PCI compliance audits, if requested. The merchant will incur an additional fee for this service; the fee, however, will be minimized as our PCI audit partner is familiar with our solution, thereby reducing the time and corresponding expense required for the audit.
F. 7X24 Internet Data Monitoring and Transmission Validation. TechMedix monitors (and blocks) any programs or persons trying to send data (including credit card data) to an unauthorized IP address. This capability would have prevented the breaches that occurred at TJ Maxx, Dave and Buster’s and Marshalls). We block the data so that it is not sent, we are notified by our system of the suspicious network traffic, and we work with the merchant to remove the software or prevent and identify the person who was trying to compromise their data. If malware was able to find itself on the system, we will render it impotent. Our monitoring systems would than work with the merchant to remove the malware from the system attempting to send potentially sensitive data to an unauthorized location.
G. Redundant Internet Access for 7 X 24 Credit Card Authorization and Broadband Issue Resolution. From our research, the number one complaint of the merchants was: “When my broadband connection goes down, I cannot authenticate a credit card. I can accept the credit card and hold the transaction, but when I process the transaction after my broadband connection is restored, invariably several of the credit cards will be rejected and I’ve lost my goods or services.” Our system detects when the broadband connection is down and automatically reconfigures itself to dialup an internet connection thereby seamlessly reestablishing an internet connection for credit‐card authorization. Credit‐card authorization requires little bandwidth, so merchants typically do not know the broadband was down until they get an email from TechMedix indicating:
(1) We have detected their broadband connection as being down.
(2) We are in the process of contacting (or already have contacted) their broadband provider on their behalf to get the broadband connection restored.
(3) We have automatically moved them to a dial‐up connection so that they may continue operating seamlessly. We also remind them that once the broadband connection is restored, the network is automatically reconnected to the broadband connection and the dialup connection is terminated. TechMedix provides the dialup connection service, so there is no additional expense to the merchant for a dial up internet service.
H. Internet Hotspot: Included in our product, at no extra cost, is a managed Internet hotspot. It is completely segregated from the merchant’s internal network so that hacking into the merchant’s credit card network through the hotspot is not possible. The merchant’s internal network and hotspot uses a single broadband connection with minimal bandwidth impact from the hotspot. Up to four independent wireless networks are provided for the merchant’s use. These wireless connections are configured by TechMedix on behalf of the merchant and support WAP2 security so a merchant can deploy the next generation wireless credit card scanning devices with the peace of mind knowing the wireless traffic is and credit card transactions are secure. The following link is to a Business Week article that discusses a number of recent breaches, including breaches via wireless networks. https://www.businessreport.com/news/2008/aug/18/feds‐seek‐nab‐credit‐thieves‐la‐tchn1/
I. Managed Internet Browsing: Our system has web filtering capabilities so a merchant can manage where employees are allowed to browse on the Internet by category, meaning that browsing by employees can be limited to certain types of sites. For example, sports bars usually need to allow their managers to look at sports websites to update scores. This can be permitted while locking down all other types of sites. For customers using our managed wireless hotspot, the internet access can be configured to disallow offensive material such as pornography, racism, or violence. Merchants would be able to advertise a “family friendly” hotspot.
J. Highly Secure Remote Access: TechMedix provides PCI compliant remote access so the merchant can access the network from remote locations (such as home) to view DVR or camera systems and to allow the merchant’s POS reseller or IT staff the ability, through remote access, to troubleshoot issues and update software remotely. In this way, POS resellers or IT personnel are not required to send personnel onsite, thereby reducing their support costs, in turn lowering the support expense to the merchant. We do this in a PCI-compliant way using a VPN (Virtual Private Network) and true two-tier authentication. We also have solved the issue, if we are notified properly, of an employee resigning while still knowing the system passwords and therefore having the ability to remotely access the system post-employment through our ability to cancel the person’s login password before they get to the parking lot.
Attached is a link to an article where an ex-employee sabotages his form employee’s computer system by assessing it remotely (http://www.scmagazineuk.com/Ex-employee-pleads-guilty-to-sabotaging-his-former-employers-computer-system/article/126017). If we are notified, we can reconfigure the system to deny ex-employee access before they reach the parking lot.
K. Simplified Remote Management: Part of our secure remote access allows us to provide communication to our customers by a standardized naming convention. Since the communication happens over our secure communication network, we can provide our customers and their support personnel access to the systems by name. This eliminates lists of management IP addresses that many merchant POS resellers and IT staff must keep updated if they are going to access a system for support.
L. Eliminate the need for Public IP Addresses: Our customers do not need static Internet addresses on their broadband Internet communication line. Access and communication always will be done over our secure system which relies on private addressing that does not correspond to a public address on the Internet or an end user. These external IP addresses typically cost $10.00 each per month; our solution eliminates the need for that expense.