Info-Tech Research Group1 Headline / Subhead Vertical Spacing V3.1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © Info-Tech Research Group Inc. Cut PCI Compliance & Audit Costs in Half Seven steps to aggressively simplify and secure what really matters. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© Info-Tech Research Group

Info-Tech Research Group2 The best path to payment card industry (PCI) compliance is to be as free as possible of PCI requirements. Secure what you have to, eliminate what you don’t need, and compliance will result naturally. Introduction Merchants Security managers or officers IT managers CFO or finance officers Understand PCI compliance as it pertains to your organization’s specific requirements. Create a strategy to achieve PCI compliance while focusing on security and reducing costs at the same time. Communicate any process or policy changes related to PCI compliance to stakeholders and the broader organization to gain support and allow for a successful transition into being a PCI-compliant institution. This Research Is Designed For: This Research Will Help You:

Info-Tech Research Group3 Learn from the mistakes of others, or else be prepared to do major damage control as a result of not becoming compliant. Do not delay PCI compliance any longer “…TJX experienced approximately 45 million stolen customer records.” 1 “…the US National Archives & Records Administration reports that 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately.” 4 “…over 260 million records in the last decade (have been compromised), according to Privacy Rights Clearinghouse.” 3 “ 96% of victims subject to PCI DSS had not achieved compliance…Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for an attack.” 2 “A Level 1 or Level 2 merchant can easily feel overwhelmed by the cost of upgrading the infrastructure and paying for ongoing infrastructure maintenance, as well as the assessment(s) needed to verify compliance.” 8 “Fines can be as much as $500,000 per incident for smaller companies, and experts have estimated the cost of remediation to be roughly $200 per breached record.” 5 “Nearly 70% of all breaches are occurring at smaller merchants, who are less able to absorb the high financial cost associated with a breach.” 7 “The cost of compliance is only a small fraction of the potential cost of non- compliance for Level 1 and Level 2 merchants.” 6

Info-Tech Research Group4 Critical POV and detailed project outline (TOC)/goals, objectives, measurements PCI compliance is not achieved by checking off every box. Be smart about your requirements, streamline, and even save money in the process. Client Project: Prioritize PCI to succeed. 1 1 Set your goals – what do you want to achieve in your PCI project? 3 3 Map PCI’s 12 core requirements to your PCI practices. 4 4 Perform a gap analysis. 5 5 Complete gap prioritization. This project has the ability to fit the following formats: Onsite workshop by Info-Tech Research Group consulting analysts Do-it-yourself with your team Remote delivery (Info-Tech Guided Implementation) Info-Tech Insight 6 6 Identify PCI Simplification Strategy. 2 2 Evaluate your current organization’s posture in relation to PCI. 7 7 Develop a PCI Simplification Launch Plan.

Info-Tech Research Group5 Boxogram – Simplify PCI 2. Determine Simplification Strategy & Communication Plan Identify PCI Simplification Strategy Develop a PCI Simplification Launch Plan 1. Evaluate Current State & Perform Gap Analysis Evaluate Current State Get Started & Set Goals Map 12 PCI Core Requirements to Current State Complete Gap Prioritization Perform a Gap Analysis

Info-Tech Research Group6 If we are conducting an on-site workshop or a Guided Implementation (GI), providing us with the following will add to the project’s value: Project Pre-work Without giving too much of the workshop contents away, be prepared to have knowledge of your PCI-related practices and policies, as well as the individuals involved in both. Come to the workshop with your feelings, beliefs, and understandings surrounding what your organization is doing in regards to PCI : ◦ Don’t think you’re doing enough? ◦ Unsure of what you’re doing at all? ◦ Don’t know what PCI actually means? Your questions and concerns are what are going to add insight and provide the dots to connect your PCI compliance action plan. On-Site Workshop Info-Tech Guided Implementation (GI) Collect as much as you can of the following: ◦ Past audit information ◦ Contact information from relevant departments ◦ Security and PCI-related policies ◦ Financial information – if you collect credit card information, where is that information?

Info-Tech Research Group7 Two-Day Summary – PCI Simplification Action Plan ScheduleNameGoalAttendeesList of Deliverables Module 1: Evaluate Current State & Gap Analysis Day 1 Morning Day 1 Afternoon 1.1: Getting Started & Goal Setting Workshop introduction Preview of the two days Establish high-level goals around PCI CFO/Finance officers CIO Security manager IT manager Other Set of six to ten goals around PCI compliance 1.2: Current State Evaluation Test yourself to see how much your organization knows about its PCI- and security-related policies Document your findings in a central Action Plan CFO/Finance officers Security manager IT manager Sneak Audit PCI Simplification Action Plan 1.3: 12 PCI Core Requirements Understand PCI’s 12 core requirements, discussion CFO/Finance officers Security manager IT manager Other Group understanding consensus 1.4: Gap Analysis Map your PCI and security documentation to the applicable requirement to identify gaps in your compliance strategies CFO/Finance officers Security manager IT manager Other Complete list of areas that need attention/remediation

Info-Tech Research Group8 Two-Day Summary – PCI Simplification Action Plan ScheduleNameGoalAttendeesList of Deliverables Module 2: Determine Simplification Strategy & Communication Plan Day 2 Morning Day 2 Afternoon 2.1: Gap Prioritization Based on the mapping completed in Module 1, prioritize gaps to determine opportunities and recognize successes CFO/Finance officers Security manager IT manager Other Complete list of prioritized next steps 2.2: Simplification Strategy When you determine the gaps in your PCI strategy, identify themes and patterns to choose your best strategies: modularization, tokenization, outsourcing, isolation CFO/Finance officers Security manager IT Manager (if security manager doesn’t exist or cannot attend) PCI Simplification Strategy 2.3: Launch Plan Complete your PCI Simplification Action Plan Develop a plan to communicate PCI changes and processes to stakeholders Create a training and awareness guide for employees CFO/Finance officers CIO (only to be aware of employee training, not the Communication Plan) Security manager IT manager Other (manager of employees to be trained in new procedures, etc.) PCI Simplification Action Plan Communication Plan Training and awareness resources

Info-Tech Research Group9 What’s in this Section:Sections: Module 1: Evaluate Current State and Gap Analysis Evaluate Your Current State 12 PCI Core Requirements Module 2: Determine Simplification Strategy and Communication Plan Appendix Set and validate your goals for PCI compliance Understand what’s at stake if you remain not compliant Evaluate your current state

Info-Tech Research Group10 Simplify PCI – Evaluate Current State and Gap Analysis (Module 1) After completing this section, you will understand: The goals you have established in relation to this project What’s at stake if you do not prioritize PCI compliance Your current state in relation to PCI and security policies and procedures The gaps that are preventing you from being successful at compliance Having completed this module, you will be able to: Identify key opportunities within policy and procedural gaps to improve compliance practices Timeline for this section ActivitiesOutputs  1.1: Getting Started & Goal SettingSet of 6-10 project goals  1.2: Evaluate Current StateSneak audit & Action Plan  1.3: Map 12 PCI Core Requirements to Current State Gap Analysis Level of difficulty: Moderate Immediate outcomes of this section Key benefits

Info-Tech Research Group11 Module 1: Evaluate Current State and Gap Analysis 1.1 Getting Started and Goal Setting Set and validate your project goals Understand what’s at stake if compliance is not a priority Roles and responsibilities 1.2 Evaluate Current State PCI merchant levels Survey current policies 1.3 Map 12 PCI Core Requirements to Current State Identify key tasks and implementation opportunities in each requirement Gap prioritization SAQs – compliance documentation and requirements review Capture costs Sneak audit

Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free:

Info-Tech Research Group13 Marketing Link Link from Storyboard Landing Page: audit-costs-in-half?utm_source=SS_Sample&utm_medium=Collateral&utm_campaign=Collateral