AT&T Becomes the First Carrier Listed With the Payment Card Industry to Offer a Portfolio of Business Network Services Evaluated Against Its Data Security Standards

The Set of Business Network and Security Services Enables Payment Card Processing Companies to Comply with Industry Standards

Dallas, Texas.-Merchants, retailers or other organizations handling credit and debit card transactions now have even more reason to use AT&T business network and security services. AT&T, Inc. (NYSE:T) today announced it is the first carrier to have its business network and security services portfolio — comprising Virtual Private Network (VPN), managed routers, remote access, and managed security services — successfully evaluated by an independent third party against the Payment Card Industry’s Data Security Standards. AT&T’s portfolio has been found to be compliant with the applicable industry standards, enabling customers who use these AT&T services to meet their PCI standards obligations.

AT&T is the first network service provider with such a broad portfolio of business network services to be placed on Visa’s and MasterCard’s list of service providers whose services have been found to be compliant with the applicable PCI Data Security Standards. AT&T’s suite of business network services will enable customers subject to the PCI standards to comply with the standards.

“AT&T is the first to offer such an expansive set of VPN, remote access and managed security services that have been successfully evaluated against the PCI Data Security Standards,” said Dale McHenry, AT&T Vice President, Enterprise Networking. “As a result, AT&T can now provide customers pursuing PCI certification with comprehensive information about AT&T’s services that they can use in their own PCI certification efforts.”

The PCI Data Security Standards were adopted to give any entity that processes, stores, or transmits payment card data the framework to maximize the protection of credit and debit card data being transferred over the Internet or stored on their networks. PCI members undergo regular audits to determine if they are compliant with these standards.

Today’s announcement represents the first wave of AT&T services that have completed the audit process by an independent third party so that they can be listed among Visa’s and MasterCard’s PCI certified providers. AT&T will continue to evaluate its services against PCI Data Security Standards.

Validating PCI compliance is an expensive proposition for many large (level 1) and midsized (level 2) businesses that accept card payments. According to a 2008 survey by Gartner Inc., Level 1 retailers “reported spending an average of $2.7 million on PCI compliance, excluding the costs of PCI assessment services. That number compares with an average of $568,000 reported by Level 1 merchants in a fall 2006 Gartner survey.”¹

Also, Level 2 merchants “reported spending $1.1 million on PCI compliance, as opposed to an average spending of $267,000 reported in fall 2006. Altogether, Level 1 and Level 2 U.S. merchants’ spending to protect cardholder data and become PCI compliant increased nearly fivefold during the past 18 months,” said Gartner.²

In addition to its VPN portfolio, other AT&T services that have been evaluated by the independent third party against PCI Data Security Standards include a range of managed and transaction routing services; intrusion detection, intrusion prevention, and firewall security services; and services for IP Telephony and local area networks. Versions of these services are available globally as well.