|
A major advertising campaign by Visa states that the card is accepted "everywhere you want to be." Unfortunately, and through no fault of Visa, a great deal of credit card data and other sensitive information ends up in the wrong hands. News reports of high-profile credit card or credit card data loss and compromise are frequent, prompting calls in the press and from the government for additional data protection regulation.
As a result of these incidents, the pressure to comply with the Payment Card Industry Data Security Standard (PCI DSS) has increased significantly. Compliance is no longer an option; it's a requirement and failure to meet PCI DSS requirements can result in monetary penalties or even the suspension or revocation of a company's right to accept or process credit card transactions. Fortunately, these standards amount to best practices that keep your systems, hardware, and data secure-critical for customer trust and your reputation.
Tripwire has been helping companies manage and monitor their technology systems for years, protecting hardware, networks, databases, and data from internal and external attacks and unintentional or unforeseen impacts of system change or human error. Helping you meet PCI DSS requirements is a natural extension of what we've been doing all along. In fact, Tripwire Enterprise meets many of the more complex PCI DSS requirements right out of the box. With Tripwire Enterprise, you continuously collect information to generate needed reports and evidence of PCI DSS compliance, making your audit a quick task instead of a lengthy project.
Benefits Well Beyond Compliance
Although your current focus may be on passing your PCI DSS audit, Tripwire Enterprise helps you implement security best practices, protecting your network and devices through file integrity monitoring, firewall/ router security compliance monitoring, and IT configuration control. You specify what to monitor, and Tripwire Enterprise alerts designated personnel when items such as key configuration items have been modified or other critical system changes occur. The result is a deliberate and controlled approach to maintaining system and application security, greater system uptime, and confidence that customer data is secure. Because Tripwire Enterprise maintains a record of all integrity checks and detected violations for use in audits, investigations, and historical reference, you have the information you need to help validate compliance-all of which translates to less IT resources spent on audits, and more time devoted to strategic and innovative efforts.
Increasing Pressure to Comply
The major credit card companies collaboratively developed the PCI DSS to protect sensitive cardholder account data from theft and fraud. Stakeholders and collaborators in this effort include American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Recently, efforts to encourage compliance have stepped up, with Visa offering financial incentives to acquiring banks whose merchants all meet compliance by the end of August 2007. However, if positive incentives fail to achieve compliance, Visa intends to levy monthly fines of $25,000 for each merchant out of compliance beyond December 31, 2007. Chances are those fines will be passed along to the merchant. If the merchant does not achieve compliance within a reasonable time frame, eventually the acquiring bank will likely cease to offer credit card support to the merchant.
The Payment Card Industry Data Security Standard: Requirements that Just Make Sense
The PCI Data Security Council (www.pcisecuritystandards.org), a not-for-profit organization created to foster adoption of cardholder data security standards developed the PCI DSS. The standard can be broken into six main groups, with one or more specific requirements in each group. These main groups, taken verbatim from the PCI Data Security Council's web site, require merchants, service providers, and acquiring banks to:
Group 1: Build and Maintain a Secure Network
Group 2: Protect Cardholder Data
Group 3: Maintain a Vulnerability Management Program
Group 4: Implement Strong Access Control Measures
Group 5: Regularly Monitor and Test Networks
Group 6: Maintain an Information Security Policy
If an acquiring bank, service provider, or merchant meets the standard, they not only satisfy the audit, but have a system that enhances the data security of their customers and reduces the amount of time spent fighting fires caused by poor network and data security practices. Complying with the PCI DSS just makes sense.
|
