Best Buy Credit Card Payment by rpd19193


More Info
									    Securing Credit Card Data
Through Tokenization and Vaulting
           Andrew Albrecht
     Director, Information Security
                Best Buy
                Today’s Conversation
   Best Buy’s Global Environment
   Challenges on our Journey to PCI Compliance
   Evolution of the Best Buy PCI Strategy
   Journey Highlight: Tokenization and Data Transference
   Outcomes and Benefits
   Advice and Recommendations to Retailers
   Questions
           Best Buy Global Footprint
                                                           Carphone Warehouse
                                                           2,465 Retail Locations
              Best Buy Canada
              61 Retail Locations   Future Shop
                                    142 Retail Locations
6 Retail Locations

                     Best Buy                                                       Five Star Appliance
Napster              1030 Retail Locations                                          167 Retail Locations

                         Best Buy Mexico                                                 Best Buy China
      Pacific Sales      1 Retail Location                                               8 Retail Locations
      34 Retail Locations
              Best Buy PCI Compliance Journey

  Uncoordinated compliance efforts, complex
  corporate needs, resulting confusion

Data from millions of customers in dozens of applications
Compliance focus on addressing previous assessment
Substantial investments made on disparate security
Conflicting views on intent of the Payment Card Industry
 Data Security Standards (PCI DSS)
Board commitment: PCI compliance in 12 months
        Evolution of Best Buy’s PCI Compliance Program

   Comprehensive strategy focused on
   meeting/exceeding all PCI requirements

 Establish PCI core leadership team
 Create top-to-bottom game plan to meet all PCI
 Minimize locations with storage of Personal Account
  Numbers (PAN)
 Develop extensive documentation on organizational
  intent, compliant environment
 Partner with organizations having core competencies
          Journey Challenge – Minimize Scope

Eliminate data while retaining the ability to
know the customer

 Cost-effective and timely reduction of credit card data
 Maintain integrity of analytics while removing card
 Operate effectively in complex retail environment
 Advanced security that’s transparent to customer’s
       Journey Highlight: Tokenization & Data Transference

     “People can’t steal what we don’t have”
                        Bob Willett, Best Buy CEO International
                        and Enterprise Chief Information Officer

Partnership with Merchant Link, customizing their
 TransactionVault™ solution
Development of interfaces to support unique
 transactions and settlements
Complex Pre-certification and QA testing
Conversion of millions of customers records to tokens
             Journey Highlight: Tokenization & Data Transference

            Outcomes and Benefits of the Journey

    Renewed commitment to information

 PCI compliance scope greatly reduced
 Board commitment successfully achieved
 Protection of Best Buy customers, brand, reputation
 Ability to securely analyze unique customer needs
 Infusion of security best practices into the DNA of the
                Best Buy’s Advice to Retailers

   Make PCI a priority in your organization

Resolve that PCI is a journey, not a destination
Establish/maintain ongoing relationship with your acquiring
View your QSA as a partner, not an adversary
Recognize there is no silver bullet technology that can
 solve all your PCI needs
    Securing Credit Card Data
Through Tokenization and Vaulting

    Securing Credit Card Data
Through Tokenization and Vaulting

Best Buy PCI Team                                                  Role                Responsibilities
                            PCI Steering Committee
                                                                                 • Establish PCI-related direction for
             • Best Buy Chief Information Security Officer          Steering       organization
             • Best Buy Information Security Directors             Committee     • Evangelize PCI strategy with business
             • Third Party Daily Technology Operational                            executives
               Leadership                                                        • Serve as main point of contact for
                                                                                   sections 1-12 of the PCI DSS
                                                                                 • Manage projects related to their tower,
                                                                                   provide leadership in steering committee
                                Tower Leads                       Tower Leads      with daily/weekly updates on progress
                            • Outsourcer Program
                                                                                 • Provide key insight into PCI requirements
                              Managers                                             and intent of the council
                            • Management of                                      • Provide project teams and tower leads
                              technology teams                                     with guidance on establishment of project
                                                                  QSA, Subject     milestones
  QSA, Subject experts                                              experts      • Lightweight project “certification”

 • Local QSA / “boutique”                                                        • Performs technical actions as directed by
   security firm                                                                   steering committee
 • Lead PCI SME from                                                             • Works with tech with SMEs to
                                                                                   understand and learn
   outsourcer                           Project Teams
                                                                  Project Team   • Collaborates with tech writers to ensure
                               • System Security Administrators                    full documentation of processes and
                               • Firewall Administrators                           related successes
                               • Tech Writers

To top