This paper covers the basic requirements of PCI, with a focus on the administrative and technical elements of the program. It also reviews the validation requirements of the standard and potential sanctions for failure to comply.
Solution Brief
PCI Compliance: Are You Onboard?
In 2005, high-profile credit card PCI establishes stringent standards on Member financial institutions are and credit data loss and how merchants process, store or transmit responsible not only for their own compromise became so common- cardholder data. These standards are a set compliance, but also for ensuring place that the Washington Post of comprehensive security requirements the compliance of their Merchants dubbed it "the year of the data that combine technology, policies, educa-and Service Providers for all payment channels, including breach." Long before that rash of tion, and awareness as well as industry best in-store, mail/telephone-order, events, however, Visa had developed practices into an integrated framework.and e-commerce. the first major commercial standard for protection of cardholder data. Adding to the compliance burden is the presence of "double jeopardy." Members Created in 2001, Visa's Cardholder are not only responsible for their own PCI Information Security Program (CISP, DSS compliance, but also the compliance also known as AIS (Account status of their Merchants and Service Information Security) internationally) Providers across all payment channels, defined a standard for securing Visa including in-store, mail/telephone-order, cardholder data for U.S. customers, and e-commerce. wherever that data was located. PCI is a technical standard (not a regula-In 2004, Visa and MasterCard collab- tion) that offers strong recommendations orated to develop common security conforming to long-established security requirements. Based on CISP, the best practices. Complying with PCI makes result was the Payment Card Industry good business sense in that it can result Data Security Standard (PCI DSS). All in a more reliable, streamlined IT infra-Merchants and Service Providers structure, improve service delivery, (including international Visa increase availability, and reduce risk-members) that handle, transmit, leading to improved customer confidence store or process information and loyalty, simplified auditing, and more concerning either of these cards, or effective cost controls.related card data, were required to be compliant as of June 30, 2005. In September 2006, the PCI Security Standards Council released PCI Data Security Standard v1.1. Solution?Brief
How Tripwire Helps Companies regulations. Not only is this insurance Achieve PCI Compliance against the financial impact of fines, but also the time and resources needed to The PCI requirements help Members, prepare for audits is reduced.Merchants, and Service Providers protect their information assets and meet the Change Visibilityobligations to the credit card companies' Even if the IT infrastructure is perfectly in payment structure. The requirements compliance with PCI, one small change include making certain that firewalls, to a server or network device can result in Complying with PCI makes good routers, database servers and other critical negative impacts if it's not properly business sense in that it can result systems assets adhere to the PCI DSS. detected and reported. Change can be in a more reliable, streamlined IT accidental, benign, malicious, intentional infrastructure, improve service Tripwire software can help organizations in nature, and originate from inside or delivery, increase availability, and comply with these requirements (specifi- outside an organization. But without a reduce risk-leading to improved cally in the area of file integrity way to know when change occurs, and customer confidence and loyalty, simplified auditing, and more monitoring, firewall/router security whether it is desired or undesired, IT effective cost controls. compliance monitoring, and change teams have few options for minimizing control) by monitoring critical files and damage. By exposing unauthorized or alerting appropriate personnel of any unintended changes, Tripwire can unauthorized changes. Section 10.5.5 provide the information necessary to requires "file integrity monitoring/change validate internal processes-and enable detection software on logs to ensure that rollback to compliant status.existing log data cannot be changed without generating a... [download for more]
