Keep it Confidential

• Established in 1996, Spin-Off from Fraunhofer & SAP• Developer of a Secure Login (SAP Single Sign-On)

technology, sold to SAP in 2011• SAP partner and Value Added Reseller (VAR)• Trusted by a large number of Fortune 500 and DAX

companies• 4 global locations: Switzerland, Germany, USA, India• New focus extends to data-centric security and

classification with Halocore solutions

SECUDE is an innovative global provider of IT data protection solutions for SAP customers. Our user-friendly solutions protect the integrity of data, prevent intellectual property theft and data breaches, while enforcing regulatory compliance.

Solution Overview

Speakers

Aparna Jue, Technical Product ManagerAparna is the Product Manager for Secude and is responsible for product planning, voice of customer, design, project management and launch of key vertical products. Aparna holds a Bachelors of Science degree in Electrical and Computer Engineering from the Georgia Institute of Technology, focusing on Network Communications and has completed graduate research course work in Material Science Engineering in Semi Conductor technology.

David A. Kilgallon, ISA, PCIP, Director of Integration Services David has over 24 years of experience in the IT/Application Development, Deployment and Support fields. David has worked in positions of leadership at Oracle and Johnson & Johnson and supported numerous Fortune 500 companies. His Bachelor of Computer Engineering degree is from Lehigh University.

Rupali Goyal, SAP Solution ArchitectRupali is CardConnect’s SAP Solution Architect. She has nine years of experience in various SAP areas – FI-CO, SD – and has worked on other SAP products including SAP R/3, SAP ERP, SAP Enterprise Portal and SAP Solution Manager Systems. Before coming to CardConnect, Rupali worked for SAP Labs India and SAP America, Inc. PA.

1

Agenda

2

3

Security Risk is on the Rise

What Can You Do to Mitigate the Risk

Compliance Landscape

Security Risk is on the Rise

Security Risk is on the Rise

Datafication• Businesses today cannot operate without their

data infrastructure• Every 2 years world’s data is doubling in size

BYOx• Bring Your Own… ANYTHING • IT consumerization leads to loss of control over

corporate data

Data Breaches• Credit Card loss has damaged brands• Even compliance isn’t sufficient

Security Risk is on the Rise

Borderless IT• Corporate perimeter is eroding/has eroded• Knowing where your data is has become a challenge• Keeping track of data is next to impossible• Data exists to be consumed and shared

• Locking everything down and disallowing employees to use data is counter-productive

• Data itself should be protected for secure movement and usage• Key data should be removed to prevent the possibility of theft

Security Risk is on the Rise

Businesses Aren’t Prepared

27% of IT professionals admitted that they did not know the trends of data loss incidents over

the past few years.(Cisco Systems)

39% of IT professionals

worldwide were more concerned about the threat from their own employees than the threat from outside hackers.

(Cisco Systems)

40% of organizations experienced a data breach or

failed a compliance

audit in the last year.

(2015 Vormetric Insider Threat Report)

\

93% of U.S. organizations said that they felt vulnerable

to insider attacks, only 7% felt safe.

(2015 Vormetric Insider Threat Report)

Cybercrime-related costs

increased 56% from the

previous year to US$5.9 million per incident in

2014. Deloitte

\

Security Risk is on the Rise

The Risk is RealSony Pictures: The Data Breach and How The Criminals Won

Home Depot’s 56 Million Card Breach Bigger Than Target’s

Cost of data breaches increasing to average of $3.8 million, study says

Millions exposed by latest health insurance hack

Uber Says Security Breach May Have Compromised Driver Data

Target agrees to pay $10 million to data breach victims

Anthem Hacked, Millions of Records Likely Stolen

Massive data breach could affect every federal agency

Security Risk is on the Rise

Costs Associated with Risk

42%

29%

30%

Cause of Data BreachMalicious attack System glitch

Human error

Financial consequences of a data breachDivided by categories

29%Reputationdamage

21%Lostproductivity

12%Forensics

19%Lostrevenue

10%Technicalsupport

8%Regulatory

$5.85 million

Source: IBM

Average cost of data breach in USA in 2013

Source: 2014 Cost of Data Breach, Ponemon Institute

What Can You Do to Mitigate the Risk

SAP Data at the Heart of the Enterprise

Every Day Data is Extracted from SAP

Context Awareness

Classification• Identify sensitive data extracted from SAP with intelligent

classification• Maximize SAP users’ investment in data governance solutions• Gain 360 degree visibility and control• Optimize Data Loss Prevention (DLP)

Benefits of Halocore’s classification functionality:• Ability to tag data

extracted from SAP• Lowered compliance costs• Improved accuracy of DLP• Increased user awareness

Data Loss Prevention• Empower users with first SAP-native DLP functionality • Prevent accidental and malicious data leaks from SAP • Prevent certain types of compliance sensitive data from

leaving the enterprise

Deep integration with SAP and contextual awareness:• User (Roles,

Authorization)• Data (Transaction, Table)• Technical environment

(Front-end, App. Component)

Data Centric Protection• Apply granular access control and rights management to

documents extracted from SAP with Microsoft RMS• Minimize the risk of data breaches, theft and accidental loss• Secure data across mobile and cloud platforms• Enable secure sharing with colleagues and partners

By utilizing RMS, Halocore allows SAP users to restrict access to sensitive data:• Roles and authorizations

configured in SAP can be extended to data leaving it

• Protection stays with the file no matter where it travels

• Documents can be safely consumed on mobile devices

Next Steps• Start with Auditing!• Understand what data is extracted from SAP and how

sensitive it is• Identify risky areas, users, and transactions• Maintain a full audit trail for compliance purposes

Halocore can help SAP users to gain knowledge:• What sensitive data they have• Where it resides• Who is accessing their data• What actions they perform with it

Next Steps

• Find Out How Much Data is Leaving SAP• Identify Sensitive Data• Build Business Case for

– Classification– Blocking– Protection– Compliance

Compliance Landscape

Compliance Landscape

The Data-fication of Businesses = Increasingly strict compliance regulations

Layered Security Approach• Network Protection: DLP, Firewalls, VPN

• Storage Protection: FDE, DB Encryption

• File-based Protection: IRM / DRM

PCI Cost Components

Key Compliance Cost: PCI DSS

• Consists of hard costs in real dollars spent with external auditors• It’s essential to prevent the exposure to loss of credit card data• PCI compliance alone is not sufficient to protect your data:

PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations.

Payment Card Industry (PCI) Data Security Standard, v3.0 Page 5 © 2006-2013PCI Security Standards Council, LLC.

All Rights Reserved. November 2013

PCI Cost Components

Businesses spend on average $225,000 per year to ensure PCI compliance

• Top 10% of businesses pay $500,000 or more annually• Where does the money go?

> Initial scope> QSA audits> Full time resources

> Self-Assessment Questionnaire

Average annual cost of PCI compliance audit? $225kEllen Messmer; Networkworld.com

PCI Scope Reduction

Before After

SAQ-D SAQ-A/B

QSA Costs - $100,000+ Reduced Audit Requirements - $3,000

2 Full-Time Equivalents 1 Full-Time Equivalent

P2PE and Tokenization

• Point-to-Point Encryption and patented tokenization> Irreversible tokens> Single-use vs. multi-use tokens

P2PE and Tokenization

Why Tokenize?

• Tokenization removes sensitive data from SAP entirely – reducing PCI scope and ultimately, reducing cost

> Remove historical payment card data from SAP via batch tokenization> Implement encryption and tokenization for all new transactions

Secure Future Transactions

• Apply to existing sales channels> SAP GUI, iStore, integrations> POS, mobile, e-commerce, and more

• SAP-to-Gateway integration

SAP CardSecure® Landscape

SAP Process Flow

Create OrderIn SAP, execute VA01 and enter the required information for the order and hit enter. Enter the payment information using the ‘Enter Card’ button on the screen. The system automatically authorizes the sales order on ‘save’.

Create SettlementIn SAP, execute transaction FCC1 to run the settlement. The settlement batches are sent to CardConnect for processing.

CardConnect Web Tokenizer from SAP Order Entry Screen

SAP Payment Acceptance

Additional FeaturesAccount Updater> Update expired cards automatically

Level II/Level III> Lowers interchange costs

Bank Account Masking> Mask sensitive information

CardClear> Clear open invoices in SAP

Authorization and Settlement Reports> Detailed ALV reports outlining important information

Auth Increase | TokenSecure | Settlement Consolidation | CardDeposit | Address Fill | E-Check | PrePayInvoice Cancellation | Monitoring Report | Auth Reversal | Authorization Wrapper | Settlement Wrapper

CardCopy | Process Flow Report | Auth Recycle | CardMasking | Reconciliaiton Report

Q&A

Aparna JueSECUDE

aparna.jue@usa.secude.com

David Kilgallon, ISA, PCIPCardConnect

dkilgallon@cardconnect.com

Rupali GoyalCardConnect

rgoyal@cardconnect.com

BREACHEDData Centric Security for SAP