© 2011 Spacenet, Inc. All rights reserved. 1

What is Payment Card Industry (PCI) Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated set of security standards that were created by the major credit card companies to offer merchants and service providers a complete, unified approach to safeguarding credit cardholder infor-mation for all credit card brands.

The PCI DSS version 1.2 requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data. The requirements apply to all methods of credit card processing, from manual to computerized; the most compre-hensive and demanding of which apply to e-commerce websites, and retail POS systems that process credit cards over the internet.

Scope of Compliance

The PCI requirements apply to all “system components.” System components are defined as any network component, server, or applica-tion that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that transmits cardholder data or sensitive authentication data. For example, the following types of systems would be in scope for compliance within any environment:

• Network devices transporting or directing cardholder traffic (e.g. border router, DMZ firewall, intranet firewall, etc)

• Support systems (e.g. Active Directory, syslog server, PC’s performing support functions such as system administration, etc.)

• Systems processing cardholder data (e.g. web servers, application servers, etc.)

• Devices that create media containing cardholder data (e.g. fax machine, printer, backup tape silo)

PCI Data Security Standard Requirements

PCI DSS version 1.2 is the latest global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common sense steps that mirror best security practices. PCI DSS standard have 12 major requirements which have been categorized into six main categories.

I. Build and maintain a secure network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

II. Protect cardholder data

• Requirement 3: Protect stored cardholder data

• Requirement 4: Encrypt transmission of cardholder data across open, public networks

III. Maintain a vulnerability management program

• Requirement 5: Use and regularly update anti-virus software or programs

• Requirement 6: Develop and maintain secure systems and applications

IV. Implement strong access control measures

• Requirement 7: Restrict access to cardholder data by business need-to-know

• Requirement 8: Assign a unique ID to each person with computer access

• Requirement 9: Restrict physical access to cardholder data

V. Regularly monitor and test networks

• Requirement 10: Track and monitor all access to network resources and cardholder data

• Requirement 11: Regularly test security systems and processes

VI. Maintain an information security policy

• Requirement 12: Maintain a policy that addresses information security for employees and contractors

Spacenet White Paper: PCI Compliance

© 2011 Spacenet, Inc. All rights reserved. 2

PCI Assessment Guidelines

Merchant Level Selection Criteria Validation Actions Validated By

1 Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year

Any merchant that has suffered a hack or an attack that resulted in an account data compromise

Any merchant identified by any card as-sociation as Level 1

Annual On-Site Security Audit and Quarterly Network Scan

Independent Security Assessor or Inter-nal Audit if signed by an Officer of the company

Qualified Independent Scan Vendor

2 1 million – 6 million Visa or MasterCard transactions per year

Visa

Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan

MasterCard

Annual on-Site Security Au-dit performed by a Qualified Security Assessor (QSA)* and Quarterly Network Scan

Merchant

Qualified Independent Scan Vendor

3 20,000 – 1 million Visa or MasterCard e-commerce transactions per year

Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan

Merchant

Qualified Independent Scan Vendor

4 Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year

Recommended Annual PCI Self-Assessment Question-naire and Quarterly Network Scan

Merchant

Qualified Independent Scan Vendor

Validation requirements and dates for Level 4 merchants are determined by the merchant’s acquirer. Submission of scan reports and/or questionnaires by level 4 merchants may be required.

PCI Compliance Penalties

Failure to comply with PCI standards or to rectify a security issue may result in:

• Fines (described below)

• Restrictions on the merchant; or

• Permanent prohibition of the merchant or service provider’s participation in Visa programs.

The following fines apply for non-compliance, within a rolling 12-month period:

Apart from penalties, an organization which is affected by a fraud suffers a substantial decline in customer loyalty, a loss in brand value and may be subject to costly fines, court time and fees.

Spacenet PCI Compliance Value Proposition

PCI compliance is not a turn-key solution which can be achieved with a single device. It requires planning. To help companies meet the requirements, Spacenet has developed a comprehensive secure network architecture for PCI DSS compliance. The architecture utilizes firewalls as the building block, combined with additional necessary security solutions to create a secure network that meets the Control Objectives in protecting cardholder information. Below is a list of the Control Objectives and Spacenet’s key solutions.

First Violation $50,000

Second Violation $100,000

Third Violation Management discretion

© 2011 Spacenet, Inc. All rights reserved. 3

Requirements Control Objective Spacenet’s Key Solution

1 & 2 Build and Maintain a Secure Network Prysm Pro Firewall

3 & 4 Protect Cardholder Data Access Control and IPSEC VPN

5 & 6 Maintain a Vulnerability Management Program Prysm Pro IPS, Centralized IPS, Gateway Anti-Virus solutions

7,8 & 9 Implement Strong Access Control Measures TACACS/RADIUS based Access Control. Secure PCI, SAS 70 and SOX Compliant Data Center facilities

10 & 11 Regularly Monitor and Test Networks Spacenet Provides various tiers of logging services. Provides infrastructure to detect public IP address for remote sites (sites with dynamic public addresses) needed for network scans

12 Maintain an Information Security Policy Provide guidance in following best industry practices.

Spacenet PCI Compliance Architecture

Requirement 1, which requires businesses to install and maintain a firewall configuration to protect cardholder data, is the major requirement for PCI DSS. Spacenet’s firewall solution meets and exceeds all of the firewall sub-section requirements within Requirement 1. In addition, Spacenet’s firewalls and other security platforms meet all system password and other security parameter configuration requirements in Re-quirement 2. Strong authentication and encryption is delivered using standards-based protocols such as IPsec and Wi-Fi Protected Access 2 (WPA2) to meet Requirements 3 and 4.

Spacenet provides a centralized and remote gateway anti-virus solution to meet Requirement 5. Spacenet’s Prysm Pro IPS/IDS meets some subsections of Requirement 6, developing and maintaining secure systems and applications. Prysm Pro identifies suspicious or mali-cious behavior, stops attacks and provides detailed reporting of potential misuse down to the application or device level.

Spacenet’s Prysm Pro based services are PCI compliant and its Datacenters are PCI, SAS 70 and SOX compliant. All access to network devices is controlled by TACACS and access is provided on a need-to-know basis. Spacenet Datacenters are 24X7 manned and continu-ously monitored using cameras. These strict security measures help meet Requirements 7, 8 and 9.

Detailed reporting and logs from Prysm Pro or other remote devices provide the necessary information to properly track and monitor all access to network resources and cardholder data as required by Requirement 10. Spacenet provides log aggregation from multiple devices and locations to provide insightful reports and event correlation. Spacenet offers three different levels of logging services to meet our cus-tomers’ needs to be PCI compliant.

Automatic PCI Log Management

Enhanced PCI Log Management

Real-Time PCI Log Management

3.5 Month Online Log Storage

1 Year Offline Log Storage

Automatic Normalization/Prioritization/Analysis

Online Reporting Web Portal

Automatic Alerts

24x7 Email PCI Logging Support

24x7 Telephone PCI Logging Support

Daily Review and Analysis

Real-Time Event/Alarm Analysis

Prysm Pro will detect and report the public IP address of the broadband service in case of broadband service provisioned with a dynamic IP address. This enables our customers to perform quarterly or annual network scans to meet Requirement 11 while keeping the broadband costs down by avoiding costly upgrades to static IP address broadband services.

Spacenet Managed Network Services will help customers meet the information security policy Requirement 12 as we are an experienced partner with PCI, SOX and SAS 70 compliance. Spacenet can guide customers in developing their own information security policy as we can leverage our extensive experience working with the retail industry.

© 2011 Spacenet, Inc. All rights reserved. 4

PCI Logging Service Description

Automatic PCI Log Management Storing of Prysm/Prysm Pro logs for 90 days, normalize/prioritize/analysis of logs, Web Portal access for daily review by customer of filtered events/alarms, automatic email notification of major events

Enhanced PCI Log Management Storing of Prysm/Prysm Pro logs for 90 days, normalize/prioritize/analysis of logs, Web Portal access for daily review by customer of filtered events/alarms, automatic email notification of major events plus daily report provided by SOC technician

Real-Time PCI Log Management Storing of Prysm/Prysm Pro logs for 90 days, normalize/prioritize/analysis of logs, Web Portal access for daily review by customer of filtered events/alarms, 24x7 monitoring by SOC technicians with 30 minute response time for major/critical issues

Summary

Spacenet’s architecture for PCI compliance provides a robust end-to-end compliance solution to properly protect sensitive cardholder data and ultimately protect the business. This architecture, combined with proper network security policies, scheduled vulnerability testing and adequate physical access security provides a complete PCI compliant solution. Spacenet’s Prysm Pro appliance has been developed in-house, which provides the flexibility to modify the architecture over time to address new threats and compliance requirements as they change while protecting our customers’ investment. Spacenet’s best-in-class network security portfolio combined with our performance and reputation makes this architecture an ideal selection for any organization seeking to meet or enhance security for PCI compliance.