PCI DSS Compliance with Tripwire

WHITEpaper
Payment Card Industry
Data Security Standard
Compliance with Tripwire
page 2 Introduction
page 4 Meeting Requirements with Tripwire Enterprise
page 4 Group 1: Build and Maintain a Secure Network
page 7 Group 2: Protect Cardholder Data
page 8 Group 3: Maintain a Vulnerability Management Program
page 9 Group 4: Implement Strong Access Control Measures
page 10 Group 5: Regularly Monitor and Test Networks
page 12 Group 6: Maintain an Information Security Policy
page 12 Choosing a Proven Solution From a Company with Experience
©2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.WHITE?PAPERPCI DSS Compliance with Tripwire
IntroductionA major advertising campaign by Visa states that the card is accepted "everywhere you want to be." Unfortunately, and through no fault of Visa, a great deal of credit card data and other sensitive information ends up in the wrong hands. News reports of high-profile credit card or credit card data loss and compro-mise are frequent, prompting calls in the press and from the government for additional data protection regulation.
As a result of these incidents, the pressure to comply with the Payment Card Industry Data Security Standard (PCI DSS) has increased significantly. Compliance is no longer an option; it's a requirement and failure to meet PCI DSS requirements can result in monetary penalties or even the suspension or revocation of a com-pany's right to accept or process credit card transactions. Fortunately, these standards amount to best practices that keep your systems, hardware, and data secure-critical for customer trust and your reputation.
Tripwire has been helping companies manage and monitor their technology systems for years, protecting hard-ware, networks, databases, and data from internal and external attacks and unintentional or unforeseen impacts of system change or human error. Helping you meet PCI DSS requirements is a natural extension of what we've been doing all along. In fact, Tripwire® Enterprise meets many of the more complex PCI DSS requirements right out of the box. With Tripwire Enterprise, you continuously collect information to generate needed reports and evidence of PCI DSS compliance, making your audit a quick task instead of a lengthy project.
Benefits Well Beyond ComplianceAlthough your current focus may be on passing your PCI DSS audit, Tripwire Enterprise helps you implement security best practices, protecting your network and devices through file integrity monitoring, firewall/router security compliance monitoring, and IT configuration control. You specify what to monitor, and Tripwire Enterprise alerts designated personnel when items such as key configuration items have been modified or other critical system changes occur. The result is a deliberate and controlled approach to maintaining system and application security, greater system uptime, and confidence that customer data is secure. Because Tripwire Enterprise maintains a record of all integrity checks and detected violations for use in audits, investigations, and historical reference, you have the information you need to help validate compliance-all of which trans-lates to less IT resources spent on audits, and more time devoted to strategic and innovative efforts.
Increasing Pressure to ComplyThe major credit card companies collaboratively developed the PCI DSS to protect sensitive cardholder account data from theft and fraud. Stakeholders and collaborators in this effort include American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Recently, efforts to encour-age compliance have stepped up, with Visa offering financial incentives to acquiring banks whose merchants all meet compliance by the end of August 2007. However, if positive incentives fail to achieve compliance, Visa intends to levy monthly fines of $25,000 for each merchant out of compliance beyond December 31, 2007. Chances are those fines will be passed along to the merchant. If the merchant does not achieve com-pliance within a reasonable time frame, eventually the acquiring bank will likely cease to offer credit card support to the merchant.
Page 2WHITE?PAPERPCI DSS Compliance ... [download for more]