Retail

Protect your customers and secure your business from loss of private financial data.

Security challenges for Retailers

Retailers are faced by a rising tide of security threats from hackers and organized crime. Acquiring and selling unsecured financial information is fueling a thriving black market for stolen credit card numbers, bank accounts, passwords, personal identification numbers and other private financial data. Retailers are required to be increasingly vigilant in protecting data transmitted on both wired and wireless systems, from customer-facing point-of-sale devices to back office databases.

Stolen personal data leads to thousands of hours of investigation and avoidable costs for those affected, from merchants to victims of stolen identities. According to a survey conducted by the Ponemon Institute, it costs $6.6 million on average when an organization suffers a data breach, and more than $200 per compromised record. Payment processing firm Heartland Payment Systems revealed that the major data breach it suffered in 2008 cost their company more than $12 million in fines and legal costs. The damage to the business is further compounded by the cascade of problems for customers that can drag on for years, as they try to recover their identities and rebuild their financial lives.

Security standards for Retailers

The Payment Card Industry (PCI) Data Security Standard (DSS) was created to combat the rising number of incidents of stolen cardholder account data. The PCI DSS is the global standard adopted by companies in the credit card industry to ensure the protection of customer information. All merchants and service providers that store or process credit cards must meet specific security requirements for identifying and remediating any exposures. This includes a requirement to perform onsite security assessments and quarterly network scans. Building a secure network and maintaining a vulnerability management program are necessary prerequisites to ensuring PCI compliance.

How Rapid7 helps

Rapid7’s PCI Compliance Solutions help retailers meet the data security standards required to achieve PCI compliance, including PCI DSS v1.2 Requirement 6.5, 6.6, 11.2 and 11.3, while also providing sound vulnerability management practices as part of a comprehensive security program designed to protect your credit cardholder data from intruders.

Rapid7 can help your organization achieve PCI compliance with Requirement 11.2 because:

• NeXpose delivers audience-based PCI reporting, including PCI Executive Summary reports and PCI Audit Reports. PCI Executive Summary reports provide high-level PCI compliance results that indicate whether or not all the assets included the report comply with PCI standards. Rapid7 PCI Audit Report and Remediation Plan includes detailed step-by-step instructions for vulnerability remediation to address any deficiencies to automate compliance with the PCI DSS.
• NeXpose enables internal staff to conduct ad-hoc internal vulnerability scans after significant network changes (such as new system component installations, changes in network topology, firewall rule modifications, or product upgrades).
• NeXpose enables vulnerability assessment scanning and monitoring both inside and outside your perimeter defenses by using either distributed engines, or Rapid7 Managed PCI Services.
• NeXpose provides scanning and reporting capabilities that meet or exceed the PCI Security Standards Council’s specifications for system security scanning. NeXpose scans assets and delivers detailed PCI audit reports using safe scan settings to generate a comprehensive report on all network-based vulnerabilities, in addition to performing patch verification, application-layer testing, and port scanning.
• NeXpose flexibly deploys as either an appliance, software, or a Managed Service for internal and external vulnerability scanning.

With Rapid7 NeXpose, our Professional Services staff can perform an independent scan and produce the certified documentation required by retailers to comply with the PCI DSS standard.

These services include:

• Performing quarterly internal and external vulnerability scans. Rapid7 has been recertified as an Approved Scanning Vendor (ASV) by the PCI Security Standards Council, authorizing us to help you achieve compliance with the PCI Data Security Standard (DSS). Rapid7 PCI Compliance Services perform an independent, quarterly ASV vulnerability scans and produce the certified documentation for your records. (Requirement 11.2)
• Leveraging Rapid7 Managed PCI Services to provide the added value of automated quarterly scans including external vulnerability scanning. Includes up to twelve rescans per quarter at no extra charge, full remediation plans, eight hours of consulting time with one of our professional security consultants (2 hours per quarter) to review scan results and discuss remediation recommendations as well as any requested scan & report configuration changes. (Requirement 11.2)
• Performing Rapid7 PCI Compliance Services offer annual internal and external penetration testing services required by PCI DSS in order to detect deficiencies more quickly and provide detailed recommendations for fixes that would prevent attacks. (Requirement 11.3)
• Performing Rapid7 PCI Gap Analysis for a detailed audit of your networked environment, Web application development secure coding policies, physical security control policies, training polices, and personnel policies in addition to providing guidance on network segmentation to show you how to reduce the scope of your PCI audit and limit your cardholder segment. (Requirement 6.5)
• Performing Web application assessment testing to identify vulnerabilities based on the OWASP Top 10 vulnerability list, in addition to providing Security Awareness Training, OWASP web development training and CEH/Penetration test training on request. (Requirement 6.6)
• Providing assistance in completing the appropriate PCI Self-Assessment Questionnaire (SAQ) when required for PCI certification.
• Providing cutting-edge security expertise as demonstrated in the active participation of Rapid7 Security Experts in evolving the DSS and Operational Guidelines through active participation in PCI SSC Task Forces, and active participation in industry forums

To learn more about how NeXpose capabilities meet the requirements to comply with the PCI DSS, refer to the Rapid7 PCI Compliance Guide.

Protect both your customers and your business by securing the privacy of credit cardholder data. Contact us to find out how Rapid7 can help you implement PCI for both Web and storefront transactions, and achieve PCI compliance.