SlideShare uma empresa Scribd logo

5 Challenges to Continuous PCI DSS Compliance

Tripwire
Tripwire

Five challenges to continuous PCI compliance are misunderstanding what PCI compliance means, treating it as an audit process rather than a standard, scoping compliance too broadly, treating it as point-in-time rather than ongoing, and failing to automate tools to generate evidence of compliance. Organizations should view PCI as a security best practice rather than a compliance program and work to continuously reduce their sensitive data scope.

Tecnologia
1 de 8
Baixar para ler offline
Five Challenges to Continuous PCI DSS Compliance WHITE PAPER
Executive Summary As the Payment Card Industry Data Security Standard (PCI Lastly, the white paper discusses how the Tripwire VIA™ DSS, or PCI) becomes more widely adopted in both the suite of IT security and compliance automation solutions United States and Europe, organizations face five major help organizations get and maintain continuous PCI compli- challenges when navigating the PCI compliance landscape: ance so you can take control of security and compliance • Misunderstanding what the term “PCI compliance” means of your IT infrastructure. Tripwire VIA solutions include in a given context; Tripwire® Enterprise for configuration control and Tripwire® Log Center for log and security event management. And • Treating PCI compliance as an audit process rather than a Tripwire Customer Services can help you quickly maximize private industry standard; the value of your Tripwire technology implementation. • Scoping PCI compliance too broadly; With Tripwire, get visibility across the entire IT infrastruc- • Treating PCI compliance as a single-point-in-time, rather ture, intelligence to enable better and faster decisions, and than ongoing activity; and automation that reduces manual, repetitive tasks. • Failing to use automated tools to generate evidence of continuous compliance. This white paper discusses these challenges in-depth, along with their implications. It also provides a plan of action that organizations subject to PCI can take to address com- pliance needs. 2 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
Introduction For a standard that has only formally existed for about five typical use of the term when discussing PCI with retail years, the Payment Card Industry Data Security Standard executives, although it is probably the least accurate. (PCI DSS, or PCI) is making astonishingly rapid progress. In 3. Satisfying the registration requirements of each of the the United States, depending on whose statistics you read, major card brands—chiefly VISA, MasterCard and AMEX— anywhere from 50–80 percent of large retail companies are by submitting various forms or other necessary informa- validated as compliant; even second tier organizations are tion according to each association’s rules. This use of the roughly estimated around the 50 percent mark in terms term is the most common, even though the related pro- of adoption. PCI is making headway in Europe as well, cess has little to do with the actual PCI. although adoption is not uniform across the continent, with Unfortunately, inconsistent use of “PCI compliance” often the United Kingdom exhibiting the highest levels of PCI leads to significant confusion and frustration. For example, compliance and awareness. an organization may satisfy all PCI controls yet not be In fact, PCI has attained such wide adoption that many registered with a card association. As a result, that card consider it a de-facto standard of due care in the retail association does not consider the organization to be in com- industry. Although a private industry rather than legal pliance—even when another association has accepted and standard, many organizations treat PCI as a regulatory validated the registration. When discussing PCI compliance requirement—an approach that frequently creates an with IT, an internal auditor, an assessor, an acquiring bank, unnecessary burden on IT. Based on well-established securi- or an association, you must keep in mind the context for ty best practices, such as ISO17799, PCI is not a compliance the discussion. program, but rather a technical best practices standard for The following example demonstrates why context is the protection of sensitive data, not just credit card data. important. Often third-party service providers serve retail- This white paper will examine five major challenges ers, but have no direct relationship with any of the card organizations face when navigating the PCI compliance brands. The service provider does not handle payments by landscape—issues pertaining to the entire PCI compliance credit card, yet they do transmit or store their retail cli- lifecycle, including pre- and post-compliance challenges, ents’ credit card data. In this familiar circumstance, the with a focus on clarifying certain common but crucial mis- service provider organization, which may well satisfy all understandings of the PCI compliance process. the PCI DSS controls, cannot directly register with the associations. Such an organization is certainly PCI compli- CHALLENGE #1: LACK OF ORGANIZATIONAL UNDERSTANDING AND COMMITMENT ant, but it is not Cardholder Information Security Program (CISP), Site Data Protection Program (SDP) or Data Security The lack of clarity regarding the term “PCI compliance” Operating Policy (DSOP) compliant. Unfortunately, most is one fundamental challenge. In fact, the term can mean potential retail clients cannot make this distinction, and one of several things, depending on the context in which therefore consider the service provider organization non-PCI it is used: compliant—an unfortunate assumption that may lead to 1. Satisfying the requirements listed in the PCI DSS techni- significant loss of potential revenue for the service provider. cal standard itself. This is the most accurate—but ironi- Worse yet, the service provider in the above scenario cally the least utilized—definition. cannot resolve the issue without working with one of their 2. Undergoing a successful external examination or assess- merchant client’s acquiring bank to sponsor the service ment by a third party, called a Qualified Security Assessor provider’s registration. However, the service provider and (QSA), that has been certified by the PCI Standards the acquiring bank or card association have no business Council. The PCI Standards Council is a body created relationship, so the bank will not want to accept the related specifically to maintain the technical standard. This is a liability. Ironically, the retail client in question will also be considered out of compliance due to PCI requirement 12.8. 3 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
This requirement states that if the merchant shares card- policy only stated that old hard copy with cardholder holder data with a service provider, it must implement and data would be “shredded” rather than “cross-shredded.” maintain policies and procedures to manage that service Hopefully such cases no longer occur, but the example provider, which includes ensuring the service provider is PCI does demonstrate the impact of having equal weight and compliant. Until this process is complete, the merchant is binary compliance. subject to potential fines and censures—a curious chicken- • Third, assessors do not have a rigid auditing standard and-egg scenario that could be challenging, especially for they must follow and by which they are judged; each can smaller third party service providers that are attempting to approach the evaluation process differently, as long as gain market share. they satisfy the specific technical test criteria defined MasterCard has in some cases tacitly worked around within the standard. This lack of uniform evaluation this issue in the past couple of years by accepting direct likely contributes significantly to the common belief that registrations through submissions from certain QSAs. In any two PCI QSAs will likely reach different conclusions contrast, VISA has insisted on the formal process, resulting when assessing the same organization. In an attempt in cases where MasterCard’s list of compliant service provid- to remedy this issue, a detailed “scoring chart” that a ers includes organizations not on VISA’s list. Fortunately, QSA must follow when assessing compliance was recently both associations recently have begun pushing large acquir- released. Unfortunately, the chart does little to solve the ing banks to handle these registrations when they learn of underlying issue, as it merely provides for the necessary these service providers. Hopefully this added pressure will minimum evidence to be checked rather than requiring alleviate this issue. a comprehensive audit or a centralized system of record. Often, merchants “put their best foot forward,” provid- CHALLENGE #2: PCI AS AN AUDIT PROCESS ing a QSA with the systems and evidence they would like A separate issue facing organizations subject to PCI com- examined rather than the QSA assessing a true random pliance results from the tendency toward treating PCI sample. And with no legal foundation and significant compliance as an audit process. Although a PCI assessment pressure to drive down costs between competing QSA’s, a resembles a regulatory audit to some degree, organizations lack of significant competition around cost, this approach should not treat it as such for several reasons: frequently works—especially because the QSA’s work is • First, because PCI is not a law, but rather a private indus- made easier and it eliminates any liability the QSA might try standard, the level of risk associated with PCI compli- otherwise carry. ance differs from meeting, for example, a financial report- • Last, because QSAs usually work as consultants rather ing rule in a regulation. than independent auditors, they often want to assess • Second, PCI assessments function more as a “spot-check” organizations while also helping them become compliant. than an actual full-blown record examination, with no This situation creates a powerful, inherent conflict of account for a system of record or distinction between key interest and likely impacts assessment results. Worse, from and other controls. In fact, PCI is entirely binary in two the client’s perspective, assessors end up with too much senses: all controls have equal weight, and they must all power; they can end up running the show and decreeing be satisfied in order to be compliant. While compensating sets of their preferred solutions that would “guarantee controls can be listed and approved, there is no “percent- compliance,” hinting that the merchant had better do age compliance” threshold that can be crossed; you’re what they say—or fail. either compliant, or you are not. These issues distract from the simple fact that the PCI is In one early case, an internal auditor at one association an extremely well-developed standard for protecting sensi- rejected a large organization’s entire submission when the tive data, although it’s important to note that the standard auditor noticed that the organization’s data destruction assumes that a data classification effort has taken place and 4 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
that “cardholder data” has been defined as “sensitive.” As natural result of such improper delegation; as discussed such, PCI provides organizations a foundation for developing earlier, PCI audits are anything but a formal, uniform audit an enterprise data security strategy, and one that is much process. Also, many compliance officers are former auditors, easier to initially adopt than a major framework such as based on the thinking that to best address compliance one COBIT, a standard such as ISO17799, or a regulation such as should put an auditor in charge. the Data Protection Act (DPA). Instead, one should approach PCI compliance with two Many organizations now possess electronic data assets intertwined goals in mind: reduction of risk and scope. well beyond private consumer information. With this tre- When discussing reduction of scope, it’s natural to consider mendous volume of data assets, treating PCI as a blueprint the word “scope” as referring to compliance. For PCI, scope for protecting those assets makes perfect sense, as it allows refers instead to “sensitive data.” In relationship to risk, the organization to capitalize on PCI-related investments the less sensitive data an organization maintains, the lower elsewhere. For example, an organization could extend most the organization’s risk associated with that data. PCI controls to its systems out of scope for PCI. By doing This principle applies, of course, to all kinds of sensitive so, the organization standardizes its security efforts and data. Corporations generally focus on the sensitivity of cor- reduces the overall cost of protecting additional systems. In porate records such as financial results or legal agreements, other words, if you have to do something anyway, and it’s and understand that protecting those records effectively beneficial, why not extend those benefits everywhere? In begins with limiting their distribution. Corporate managers one instance, a large fashion retailer reduced the number instinctively understand the concept of data classification of key controls to implement for SOX by over 70 percent by when it comes to these kinds of records; some data is really extending PCI controls to their financial system. sensitive and we want to keep it safe. They understand that In some cases PCI compliance can even drive bottom- keeping data safe involves ensuring it isn’t left carelessly on line benefits. Returning to the third-party service provider someone’s desk, emailed to large distribution lists, or cop- example above, merchants might be more willing to sign on ied over to file systems that everyone in the company can the dotted line with a service provider that had voluntarily access. For these individuals, this important understanding complied with PCI and had undergone a formal assessment of sensitive data already exists; to drive home the concept from a well-recognized QSA, even when the merchant is not of reduction of scope they only need to apply that same forced to do so by the card brands. For the service provider, mindset to PCI “cardholder data.” this ability to execute faster and reduce the sales cycle is In most retail organizations that attempt to comply with a tremendous benefit. It is easy to conceive of many such PCI, cardholder data initially seems to be everywhere. It’s scenarios; for example, a hosting provider with a segregated on the point-of-sale and merchandizing systems, financial PCI compliant environment within their data center. For one reporting systems, accounting excel spreadsheets, loss pre- outsourced e-commerce service provider, the ability to offer vention systems and investigation records, files with paper a “PCI certified” environment translated to a significant records, receipts, emails, laptops… the list is endless. Sadly, reduction in the sales cycle. the question these organizations usually ask first is “How do we comply with PCI for all this?” Instead, they should be CHALLENGE #3: SCOPING COMPLIANCE TOO BROADLY asking “Where can we eliminate the use of such data?” Not surprisingly, an organization can get overzealous about By eliminating credit card account numbers from every PCI. Put an internal auditor on the task of becoming com- storage mechanism where these numbers should not reside, pliant and you will quickly be inundated with forms, tests, the organization gains several major benefits. The first is checks, requests for evidence, and spreadsheets with tiny a dramatic reduction in compliance scope and associated print listing missing controls—a far greater scope for PCI liability and risk. Ideally, actual card numbers should reside than even the writers of the standard intended. This is a only in one central system, such as the merchandizing 5 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
system (consider it the “PCI system of record”). All other been sampled and passed while other areas are in the pro- functions, including sales audit, loss prevention, and so on, cess of being assessed. This situation results in the curious that may require the occasional card number can be driven conundrum of the organization becoming non-compliant at largely by the use of alternative mechanisms, such as utiliz- the time of being validated by the assessor. ing cryptographic hashes instead of actual account numbers Many organizations thus end up subscribing to the view for transaction searches. Furthermore, the benefits of going that the assessment is something that they need to pass through the scope reduction exercise can be even greater if annually. Over time, these organizations become highly the principle is then carried over to other forms of sensitive trained in producing the correct set of evidence to get data. Ultimately this exercise in reducing scope can make validated for compliance, regardless of their actual PCI com- the entire company much better at handling its electronic pliance posture. data assets of all kinds. In one case, proper scoping resulted in a revised budget of $400K instead of over $2M, and a CHALLENGE #5: FAILURE TO AUTOMATE reduction of three-fourths in the time needed to attain All of these issues are non-material until a breach occurs. compliance. That, however, is when the entire game changes. Following a breach, the card association will send its own assessor, CHALLENGE #4: THE FALLACY OF POINT IN TIME usually paid for by the merchant, but this time with the COMPLIANCE unspoken goal of disproving compliance at the time of Another self-defeating but prevalent approach is that of breach. And for the first time the assessor will assume the “least-effort compliance.” An organization that views PCI role of auditor, not only checking for compliance based on a compliance as simply something the organization must do, current sample of evidence, but examining it over the entire without understanding how it otherwise contributes to the duration of time leading up to and following the breach. business, will naturally do the minimum necessary to attain It is easy to imagine that they will find numerous controls compliance. that may not have been in compliance at one point or This approach poses a number of significant risks. another, or simply not find any supporting evidence at all. Because a PCI assessment is very limited in nature, it is Since PCI compliance is binary, the conclusion would be easy to present an assessor with targeted evidence to that the organization had not been compliant at the time ensure compliance. Often, and especially in cases where the of the breach, regardless of whether their compliance had assessor also serves as the consultant on how to pass the been validated by an external assessor beforehand. This assessment, it is extremely hard to avoid a form of collu- conclusion opens the door to a number of liabilities, includ- sion between the client and the assessor that results in a ing fines and other sanctions, depending on how far the tendency to ignore, make exceptions for, or explain away association feels they can go with the particular entity in non-compliant elements. question. The nature of PCI compliance as relying on an annual, An excellent way to avoid much of this problem is the use point-in-time assessment also contributes to the “illusion of automated evidence collection tools. Not only do such of compliance” problem. PCI compliance, except in certain tools normally have significant operational benefits—includ- narrow areas such as quarterly scanning, looks at the here- ing early detection of breaches, a major factor in limiting and-now. Unlike a full audit, there is no actual requirement risk—but they can prove that the organization had continu- to prove that all controls have been in place for an entire ous compliance, rather than point-in-time compliance, as year, but rather that they are in place when sampled during assessments do. The organization’s bargaining position when the assessment. Even failed quarterly scans can generally be dealing with the association is therefore greatly improved, explained away if the most recent scan before an assessment and avoiding a half million-dollar fine is enough to easily shows a passing result. Another issue is that an organiza- tion often falls out of compliance in areas that had already 6 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
justify the cost of several such tools, though breaches often lead to more than a single fine. How Tripwire Helps Since PCI is very detailed in terms of required technical Tripwire IT security and compliance automation solu- and operational controls, it is virtually impossible to remain tions go beyond directly addressing requirements like PCI compliant without such tools. But most of these tools also Requirements 10.5 and 11.5. In fact, assessors recognize bring side benefits, such as catching unauthorized changes, that when the Tripwire VIA™ suite is in use, they can detecting reliability and performance issues, or simply indi- assume that the organization being audited has already sat- cating suboptimal configurations in operational systems. isfied specific PCI assessment criteria. In addition, Tripwire Note that compliance in and of itself can’t stop a breach solutions automate mission-critical operational and analysis from happening, although having security controls in place tasks around system changes, while providing strong proof will certainly reduce the breach to detection gap from of compliance for auditors and legal discovery. week and months to minutes and hours. That is powerful. To date, Tripwire has helped over 7000 organizations Unfortunately, the old security adage that “the only safe worldwide meet compliance requirements and secure their IT system in a network is one that is not connected” still holds infrastructure with industry leading IT security and compli- true. However, PCI compliance, because it is essentially a set ance automation solutions. These solutions include Tripwire of security best practices, can contribute significantly to the Enterprise for configuration control and Tripwire Log Center organization’s overall security posture. for log and event management. Tripwire Enterprise delivers proven file integrity monitoring, compliance policy man- agement, real-time intelligent assessment of change with What you should do Change IQ capabilities, and one-touch access to remediation From the discussion to this point, you can draw several useful guidance to meet the PCI DSS configuration and change conclusions and begin to form a compliance plan of action: process controls. Tripwire Log Center, an all-in-one log and 1. PCI as a best practice. Where they make sense, plan to event management solution meets the log management expand relevant PCI controls to other areas of the organi- requirements of the PCI DSS and through it’s built-in inte- zation; this will help with other compliance programs. gration with Tripwire Enterprise further enhances security with security event data on changes flagged for review by 2. Scoping before compliance. Identify all cardholder data Tripwire Enterprise. flows and storage systems before looking at the PCI DSS, Together, Tripwire Enterprise and Tripwire Log Center pro- and then eliminate as many of them as possible. vide a broad solution for ensuring PCI DSS compliance and 3. Controlling the compliance process. Avoid hiring your reducing an organization’s security risk. auditor to assess and consult on how to pass their audit. Instead, rely on proven PCI expertise to help you work through the compliance process. Similarly, try to avoid putting an auditor in charge of PCI compliance, unless they have significant and specific PCI expertise. 4. PCI is ongoing. Do not fall into the “annual check- point” mindset, but treat PCI compliance as a continuous process. 5. Automation and centralization. Plan to invest in both automation and centralization, with an eye towards col- lection and review of evidence. This investment will pro- vide the best coverage following a breach, but will also provide significant operational benefits. 7 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
ABOUT TRIPWIRE Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and TripwireInc on Twitter. ©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPFPC1b

Recomendados

QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistTripwire
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationAjai Srivastava
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 

Recomendados

QSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistQSA Shares PCI 3.0 Advice & Checklist
QSA Shares PCI 3.0 Advice & ChecklistTripwire
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Ergmjschreck
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015Capgemini
 
bsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationbsi-cyber-resilience-presentation
bsi-cyber-resilience-presentationAjai Srivastava
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Term assignment
Term assignmentTerm assignment
Term assignmentJenny Shimbashi
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?Lumension
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
The CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedThe CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedIBM Security
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 

Mais conteúdo relacionado

Mais procurados

Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Phil Agcaoili
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoTuan Phan
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk ManagementShaun Sloan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security ServicesGraham Mann
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityJessica Santamaria
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?Lumension
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.Unified11
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTuan Phan
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)Tuan Phan
 
The CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedThe CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedIBM Security
 

Mais procurados (20)

Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
Cyber Security Risk Management
Cyber Security Risk ManagementCyber Security Risk Management
Cyber Security Risk Management
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
A Guide to Managed Security Services
A Guide to Managed Security ServicesA Guide to Managed Security Services
A Guide to Managed Security Services
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
Term assignment
Term assignmentTerm assignment
Term assignment
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
CYBERSECURITY, RISK & COMPLIANCE | AMPCUS INC.
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public Sector
 
TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)TrustedAgent and Defense Industrial Base (DIB)
TrustedAgent and Defense Industrial Base (DIB)
 
The CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the UnexpectedThe CISO in 2020: Prepare for the Unexpected
The CISO in 2020: Prepare for the Unexpected
 

Semelhante a 5 Challenges to Continuous PCI DSS Compliance

When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS SlidecastRobertXia
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliancepcidss14s
 
Is your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notIs your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notCheapSSLsecurity
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardsallychiu
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...The Harvey Company Insurance Services
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1wardell henley
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures- Mark - Fullbright
 
Pci compliance
Pci compliancePci compliance
Pci compliancepcihghg23
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 

Semelhante a 5 Challenges to Continuous PCI DSS Compliance (20)

When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
Is your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if notIs your business PCI DSS compliant? You’re digging your own grave if not
Is your business PCI DSS compliant? You’re digging your own grave if not
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Understanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and FailuresUnderstanding Your PCI DSS Guidelines: Successes and Failures
Understanding Your PCI DSS Guidelines: Successes and Failures
 
Pci compliance
Pci compliancePci compliance
Pci compliance
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 

Mais de Tripwire

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughTripwire
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyTripwire
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsTripwire
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationTripwire
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportTripwire
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!Tripwire
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationTripwire
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...Tripwire
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsTripwire
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTripwire
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksTripwire
 

Mais de Tripwire (20)

Mind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't EnoughMind the Cybersecurity Gap - Why Compliance Isn't Enough
Mind the Cybersecurity Gap - Why Compliance Isn't Enough
 
Data Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data PrivacyData Privacy Day 2022: Tips to Ensure Data Privacy
Data Privacy Day 2022: Tips to Ensure Data Privacy
 
Key Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The ExpertsKey Challenges Facing IT/OT: Hear From The Experts
Key Challenges Facing IT/OT: Hear From The Experts
 
Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo Tripwire Energy Working Group: TIV Demo
Tripwire Energy Working Group: TIV Demo
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
Tripwire Energy Working Group: CIP Solutions and Baseline Walk-Through
 
Tripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase ColeTripwire Energy Working Group: Customer Session with Chase Cole
Tripwire Energy Working Group: Customer Session with Chase Cole
 
Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire Energy Working Group: Keynote w/Patrick Miller
Tripwire Energy Working Group: Keynote w/Patrick Miller
 
World Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest CelebrationWorld Book Day: Cybersecurity’s Quietest Celebration
World Book Day: Cybersecurity’s Quietest Celebration
 
Tripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key FindingsTripwire Retail Security 2020 Survey: Key Findings
Tripwire Retail Security 2020 Survey: Key Findings
 
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact ReportKey Findings: Tripwire COVID-19 Cybersecurity Impact Report
Key Findings: Tripwire COVID-19 Cybersecurity Impact Report
 
The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!The Adventures of Captain Tripwire: Coloring Book!
The Adventures of Captain Tripwire: Coloring Book!
 
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT CollaborationIndustrial Cybersecurity: Practical Tips for IT & OT Collaboration
Industrial Cybersecurity: Practical Tips for IT & OT Collaboration
 
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
The Adventures of Captain Tripwire #1: Captain Tripwire Faces the Indefensibl...
 
Tripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key FindingsTripwire 2019 Skills Gap Survey: Key Findings
Tripwire 2019 Skills Gap Survey: Key Findings
 
A Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber MomentsA Look Back at 2018: The Most Memorable Cyber Moments
A Look Back at 2018: The Most Memorable Cyber Moments
 
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass AuditsTime for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
Time for Your Compliance Check-Up: How Mercy Health Uses Tripwire to Pass Audits
 
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key FindingsTripwire State of Cyber Hygiene 2018 Report: Key Findings
Tripwire State of Cyber Hygiene 2018 Report: Key Findings
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Defending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber AttacksDefending Critical Infrastructure Against Cyber Attacks
Defending Critical Infrastructure Against Cyber Attacks
 

Último

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

5 Challenges to Continuous PCI DSS Compliance

  • 1. Five Challenges to Continuous PCI DSS Compliance WHITE PAPER
  • 2. Executive Summary As the Payment Card Industry Data Security Standard (PCI Lastly, the white paper discusses how the Tripwire VIA™ DSS, or PCI) becomes more widely adopted in both the suite of IT security and compliance automation solutions United States and Europe, organizations face five major help organizations get and maintain continuous PCI compli- challenges when navigating the PCI compliance landscape: ance so you can take control of security and compliance • Misunderstanding what the term “PCI compliance” means of your IT infrastructure. Tripwire VIA solutions include in a given context; Tripwire® Enterprise for configuration control and Tripwire® Log Center for log and security event management. And • Treating PCI compliance as an audit process rather than a Tripwire Customer Services can help you quickly maximize private industry standard; the value of your Tripwire technology implementation. • Scoping PCI compliance too broadly; With Tripwire, get visibility across the entire IT infrastruc- • Treating PCI compliance as a single-point-in-time, rather ture, intelligence to enable better and faster decisions, and than ongoing activity; and automation that reduces manual, repetitive tasks. • Failing to use automated tools to generate evidence of continuous compliance. This white paper discusses these challenges in-depth, along with their implications. It also provides a plan of action that organizations subject to PCI can take to address com- pliance needs. 2 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
  • 3. Introduction For a standard that has only formally existed for about five typical use of the term when discussing PCI with retail years, the Payment Card Industry Data Security Standard executives, although it is probably the least accurate. (PCI DSS, or PCI) is making astonishingly rapid progress. In 3. Satisfying the registration requirements of each of the the United States, depending on whose statistics you read, major card brands—chiefly VISA, MasterCard and AMEX— anywhere from 50–80 percent of large retail companies are by submitting various forms or other necessary informa- validated as compliant; even second tier organizations are tion according to each association’s rules. This use of the roughly estimated around the 50 percent mark in terms term is the most common, even though the related pro- of adoption. PCI is making headway in Europe as well, cess has little to do with the actual PCI. although adoption is not uniform across the continent, with Unfortunately, inconsistent use of “PCI compliance” often the United Kingdom exhibiting the highest levels of PCI leads to significant confusion and frustration. For example, compliance and awareness. an organization may satisfy all PCI controls yet not be In fact, PCI has attained such wide adoption that many registered with a card association. As a result, that card consider it a de-facto standard of due care in the retail association does not consider the organization to be in com- industry. Although a private industry rather than legal pliance—even when another association has accepted and standard, many organizations treat PCI as a regulatory validated the registration. When discussing PCI compliance requirement—an approach that frequently creates an with IT, an internal auditor, an assessor, an acquiring bank, unnecessary burden on IT. Based on well-established securi- or an association, you must keep in mind the context for ty best practices, such as ISO17799, PCI is not a compliance the discussion. program, but rather a technical best practices standard for The following example demonstrates why context is the protection of sensitive data, not just credit card data. important. Often third-party service providers serve retail- This white paper will examine five major challenges ers, but have no direct relationship with any of the card organizations face when navigating the PCI compliance brands. The service provider does not handle payments by landscape—issues pertaining to the entire PCI compliance credit card, yet they do transmit or store their retail cli- lifecycle, including pre- and post-compliance challenges, ents’ credit card data. In this familiar circumstance, the with a focus on clarifying certain common but crucial mis- service provider organization, which may well satisfy all understandings of the PCI compliance process. the PCI DSS controls, cannot directly register with the associations. Such an organization is certainly PCI compli- CHALLENGE #1: LACK OF ORGANIZATIONAL UNDERSTANDING AND COMMITMENT ant, but it is not Cardholder Information Security Program (CISP), Site Data Protection Program (SDP) or Data Security The lack of clarity regarding the term “PCI compliance” Operating Policy (DSOP) compliant. Unfortunately, most is one fundamental challenge. In fact, the term can mean potential retail clients cannot make this distinction, and one of several things, depending on the context in which therefore consider the service provider organization non-PCI it is used: compliant—an unfortunate assumption that may lead to 1. Satisfying the requirements listed in the PCI DSS techni- significant loss of potential revenue for the service provider. cal standard itself. This is the most accurate—but ironi- Worse yet, the service provider in the above scenario cally the least utilized—definition. cannot resolve the issue without working with one of their 2. Undergoing a successful external examination or assess- merchant client’s acquiring bank to sponsor the service ment by a third party, called a Qualified Security Assessor provider’s registration. However, the service provider and (QSA), that has been certified by the PCI Standards the acquiring bank or card association have no business Council. The PCI Standards Council is a body created relationship, so the bank will not want to accept the related specifically to maintain the technical standard. This is a liability. Ironically, the retail client in question will also be considered out of compliance due to PCI requirement 12.8. 3 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
  • 4. This requirement states that if the merchant shares card- policy only stated that old hard copy with cardholder holder data with a service provider, it must implement and data would be “shredded” rather than “cross-shredded.” maintain policies and procedures to manage that service Hopefully such cases no longer occur, but the example provider, which includes ensuring the service provider is PCI does demonstrate the impact of having equal weight and compliant. Until this process is complete, the merchant is binary compliance. subject to potential fines and censures—a curious chicken- • Third, assessors do not have a rigid auditing standard and-egg scenario that could be challenging, especially for they must follow and by which they are judged; each can smaller third party service providers that are attempting to approach the evaluation process differently, as long as gain market share. they satisfy the specific technical test criteria defined MasterCard has in some cases tacitly worked around within the standard. This lack of uniform evaluation this issue in the past couple of years by accepting direct likely contributes significantly to the common belief that registrations through submissions from certain QSAs. In any two PCI QSAs will likely reach different conclusions contrast, VISA has insisted on the formal process, resulting when assessing the same organization. In an attempt in cases where MasterCard’s list of compliant service provid- to remedy this issue, a detailed “scoring chart” that a ers includes organizations not on VISA’s list. Fortunately, QSA must follow when assessing compliance was recently both associations recently have begun pushing large acquir- released. Unfortunately, the chart does little to solve the ing banks to handle these registrations when they learn of underlying issue, as it merely provides for the necessary these service providers. Hopefully this added pressure will minimum evidence to be checked rather than requiring alleviate this issue. a comprehensive audit or a centralized system of record. Often, merchants “put their best foot forward,” provid- CHALLENGE #2: PCI AS AN AUDIT PROCESS ing a QSA with the systems and evidence they would like A separate issue facing organizations subject to PCI com- examined rather than the QSA assessing a true random pliance results from the tendency toward treating PCI sample. And with no legal foundation and significant compliance as an audit process. Although a PCI assessment pressure to drive down costs between competing QSA’s, a resembles a regulatory audit to some degree, organizations lack of significant competition around cost, this approach should not treat it as such for several reasons: frequently works—especially because the QSA’s work is • First, because PCI is not a law, but rather a private indus- made easier and it eliminates any liability the QSA might try standard, the level of risk associated with PCI compli- otherwise carry. ance differs from meeting, for example, a financial report- • Last, because QSAs usually work as consultants rather ing rule in a regulation. than independent auditors, they often want to assess • Second, PCI assessments function more as a “spot-check” organizations while also helping them become compliant. than an actual full-blown record examination, with no This situation creates a powerful, inherent conflict of account for a system of record or distinction between key interest and likely impacts assessment results. Worse, from and other controls. In fact, PCI is entirely binary in two the client’s perspective, assessors end up with too much senses: all controls have equal weight, and they must all power; they can end up running the show and decreeing be satisfied in order to be compliant. While compensating sets of their preferred solutions that would “guarantee controls can be listed and approved, there is no “percent- compliance,” hinting that the merchant had better do age compliance” threshold that can be crossed; you’re what they say—or fail. either compliant, or you are not. These issues distract from the simple fact that the PCI is In one early case, an internal auditor at one association an extremely well-developed standard for protecting sensi- rejected a large organization’s entire submission when the tive data, although it’s important to note that the standard auditor noticed that the organization’s data destruction assumes that a data classification effort has taken place and 4 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
  • 5. that “cardholder data” has been defined as “sensitive.” As natural result of such improper delegation; as discussed such, PCI provides organizations a foundation for developing earlier, PCI audits are anything but a formal, uniform audit an enterprise data security strategy, and one that is much process. Also, many compliance officers are former auditors, easier to initially adopt than a major framework such as based on the thinking that to best address compliance one COBIT, a standard such as ISO17799, or a regulation such as should put an auditor in charge. the Data Protection Act (DPA). Instead, one should approach PCI compliance with two Many organizations now possess electronic data assets intertwined goals in mind: reduction of risk and scope. well beyond private consumer information. With this tre- When discussing reduction of scope, it’s natural to consider mendous volume of data assets, treating PCI as a blueprint the word “scope” as referring to compliance. For PCI, scope for protecting those assets makes perfect sense, as it allows refers instead to “sensitive data.” In relationship to risk, the organization to capitalize on PCI-related investments the less sensitive data an organization maintains, the lower elsewhere. For example, an organization could extend most the organization’s risk associated with that data. PCI controls to its systems out of scope for PCI. By doing This principle applies, of course, to all kinds of sensitive so, the organization standardizes its security efforts and data. Corporations generally focus on the sensitivity of cor- reduces the overall cost of protecting additional systems. In porate records such as financial results or legal agreements, other words, if you have to do something anyway, and it’s and understand that protecting those records effectively beneficial, why not extend those benefits everywhere? In begins with limiting their distribution. Corporate managers one instance, a large fashion retailer reduced the number instinctively understand the concept of data classification of key controls to implement for SOX by over 70 percent by when it comes to these kinds of records; some data is really extending PCI controls to their financial system. sensitive and we want to keep it safe. They understand that In some cases PCI compliance can even drive bottom- keeping data safe involves ensuring it isn’t left carelessly on line benefits. Returning to the third-party service provider someone’s desk, emailed to large distribution lists, or cop- example above, merchants might be more willing to sign on ied over to file systems that everyone in the company can the dotted line with a service provider that had voluntarily access. For these individuals, this important understanding complied with PCI and had undergone a formal assessment of sensitive data already exists; to drive home the concept from a well-recognized QSA, even when the merchant is not of reduction of scope they only need to apply that same forced to do so by the card brands. For the service provider, mindset to PCI “cardholder data.” this ability to execute faster and reduce the sales cycle is In most retail organizations that attempt to comply with a tremendous benefit. It is easy to conceive of many such PCI, cardholder data initially seems to be everywhere. It’s scenarios; for example, a hosting provider with a segregated on the point-of-sale and merchandizing systems, financial PCI compliant environment within their data center. For one reporting systems, accounting excel spreadsheets, loss pre- outsourced e-commerce service provider, the ability to offer vention systems and investigation records, files with paper a “PCI certified” environment translated to a significant records, receipts, emails, laptops… the list is endless. Sadly, reduction in the sales cycle. the question these organizations usually ask first is “How do we comply with PCI for all this?” Instead, they should be CHALLENGE #3: SCOPING COMPLIANCE TOO BROADLY asking “Where can we eliminate the use of such data?” Not surprisingly, an organization can get overzealous about By eliminating credit card account numbers from every PCI. Put an internal auditor on the task of becoming com- storage mechanism where these numbers should not reside, pliant and you will quickly be inundated with forms, tests, the organization gains several major benefits. The first is checks, requests for evidence, and spreadsheets with tiny a dramatic reduction in compliance scope and associated print listing missing controls—a far greater scope for PCI liability and risk. Ideally, actual card numbers should reside than even the writers of the standard intended. This is a only in one central system, such as the merchandizing 5 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
  • 6. system (consider it the “PCI system of record”). All other been sampled and passed while other areas are in the pro- functions, including sales audit, loss prevention, and so on, cess of being assessed. This situation results in the curious that may require the occasional card number can be driven conundrum of the organization becoming non-compliant at largely by the use of alternative mechanisms, such as utiliz- the time of being validated by the assessor. ing cryptographic hashes instead of actual account numbers Many organizations thus end up subscribing to the view for transaction searches. Furthermore, the benefits of going that the assessment is something that they need to pass through the scope reduction exercise can be even greater if annually. Over time, these organizations become highly the principle is then carried over to other forms of sensitive trained in producing the correct set of evidence to get data. Ultimately this exercise in reducing scope can make validated for compliance, regardless of their actual PCI com- the entire company much better at handling its electronic pliance posture. data assets of all kinds. In one case, proper scoping resulted in a revised budget of $400K instead of over $2M, and a CHALLENGE #5: FAILURE TO AUTOMATE reduction of three-fourths in the time needed to attain All of these issues are non-material until a breach occurs. compliance. That, however, is when the entire game changes. Following a breach, the card association will send its own assessor, CHALLENGE #4: THE FALLACY OF POINT IN TIME usually paid for by the merchant, but this time with the COMPLIANCE unspoken goal of disproving compliance at the time of Another self-defeating but prevalent approach is that of breach. And for the first time the assessor will assume the “least-effort compliance.” An organization that views PCI role of auditor, not only checking for compliance based on a compliance as simply something the organization must do, current sample of evidence, but examining it over the entire without understanding how it otherwise contributes to the duration of time leading up to and following the breach. business, will naturally do the minimum necessary to attain It is easy to imagine that they will find numerous controls compliance. that may not have been in compliance at one point or This approach poses a number of significant risks. another, or simply not find any supporting evidence at all. Because a PCI assessment is very limited in nature, it is Since PCI compliance is binary, the conclusion would be easy to present an assessor with targeted evidence to that the organization had not been compliant at the time ensure compliance. Often, and especially in cases where the of the breach, regardless of whether their compliance had assessor also serves as the consultant on how to pass the been validated by an external assessor beforehand. This assessment, it is extremely hard to avoid a form of collu- conclusion opens the door to a number of liabilities, includ- sion between the client and the assessor that results in a ing fines and other sanctions, depending on how far the tendency to ignore, make exceptions for, or explain away association feels they can go with the particular entity in non-compliant elements. question. The nature of PCI compliance as relying on an annual, An excellent way to avoid much of this problem is the use point-in-time assessment also contributes to the “illusion of automated evidence collection tools. Not only do such of compliance” problem. PCI compliance, except in certain tools normally have significant operational benefits—includ- narrow areas such as quarterly scanning, looks at the here- ing early detection of breaches, a major factor in limiting and-now. Unlike a full audit, there is no actual requirement risk—but they can prove that the organization had continu- to prove that all controls have been in place for an entire ous compliance, rather than point-in-time compliance, as year, but rather that they are in place when sampled during assessments do. The organization’s bargaining position when the assessment. Even failed quarterly scans can generally be dealing with the association is therefore greatly improved, explained away if the most recent scan before an assessment and avoiding a half million-dollar fine is enough to easily shows a passing result. Another issue is that an organiza- tion often falls out of compliance in areas that had already 6 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
  • 7. justify the cost of several such tools, though breaches often lead to more than a single fine. How Tripwire Helps Since PCI is very detailed in terms of required technical Tripwire IT security and compliance automation solu- and operational controls, it is virtually impossible to remain tions go beyond directly addressing requirements like PCI compliant without such tools. But most of these tools also Requirements 10.5 and 11.5. In fact, assessors recognize bring side benefits, such as catching unauthorized changes, that when the Tripwire VIA™ suite is in use, they can detecting reliability and performance issues, or simply indi- assume that the organization being audited has already sat- cating suboptimal configurations in operational systems. isfied specific PCI assessment criteria. In addition, Tripwire Note that compliance in and of itself can’t stop a breach solutions automate mission-critical operational and analysis from happening, although having security controls in place tasks around system changes, while providing strong proof will certainly reduce the breach to detection gap from of compliance for auditors and legal discovery. week and months to minutes and hours. That is powerful. To date, Tripwire has helped over 7000 organizations Unfortunately, the old security adage that “the only safe worldwide meet compliance requirements and secure their IT system in a network is one that is not connected” still holds infrastructure with industry leading IT security and compli- true. However, PCI compliance, because it is essentially a set ance automation solutions. These solutions include Tripwire of security best practices, can contribute significantly to the Enterprise for configuration control and Tripwire Log Center organization’s overall security posture. for log and event management. Tripwire Enterprise delivers proven file integrity monitoring, compliance policy man- agement, real-time intelligent assessment of change with What you should do Change IQ capabilities, and one-touch access to remediation From the discussion to this point, you can draw several useful guidance to meet the PCI DSS configuration and change conclusions and begin to form a compliance plan of action: process controls. Tripwire Log Center, an all-in-one log and 1. PCI as a best practice. Where they make sense, plan to event management solution meets the log management expand relevant PCI controls to other areas of the organi- requirements of the PCI DSS and through it’s built-in inte- zation; this will help with other compliance programs. gration with Tripwire Enterprise further enhances security with security event data on changes flagged for review by 2. Scoping before compliance. Identify all cardholder data Tripwire Enterprise. flows and storage systems before looking at the PCI DSS, Together, Tripwire Enterprise and Tripwire Log Center pro- and then eliminate as many of them as possible. vide a broad solution for ensuring PCI DSS compliance and 3. Controlling the compliance process. Avoid hiring your reducing an organization’s security risk. auditor to assess and consult on how to pass their audit. Instead, rely on proven PCI expertise to help you work through the compliance process. Similarly, try to avoid putting an auditor in charge of PCI compliance, unless they have significant and specific PCI expertise. 4. PCI is ongoing. Do not fall into the “annual check- point” mindset, but treat PCI compliance as a continuous process. 5. Automation and centralization. Plan to invest in both automation and centralization, with an eye towards col- lection and review of evidence. This investment will pro- vide the best coverage following a breach, but will also provide significant operational benefits. 7 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance
  • 8. ABOUT TRIPWIRE Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through Visibility, Intelligence and Automation. Learn more at www.tripwire.com and TripwireInc on Twitter. ©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPFPC1b