In 2005, high-profile credit card and credit data loss and compromise became so commonplace that the Washington Post dubbed it "the year of the data breach." Long before that rash of events, however, Visa had developed the first major commercial standard for protection of cardholder data. Created in 2001, Visa's Cardholder Information Security Program (CISP, also known as AIS (Account Information Security) internationally) defined a standard for securing Visa cardholder data for U.S. customers, wherever that data was located.
In 2004, Visa and MasterCard collaborated to develop common security requirements. Based on CISP, the result was the Payment Card Industry Data Security Standard (PCI DSS). All Merchants and Service Providers (including international Visa members) that handle, transmit, store or process information concerning either of these cards, or related card data, were required to be compliant as of June 30, 2005. In September 2006, the PCI Security Standards Council released PCI Data Security Standard v1.1.
PCI establishes stringent standards on how merchants process, store or transmit cardholder data. These standards are a set of comprehensive security requirements that combine technology, policies, education, and awareness as well as industry best practices into an integrated framework.
Adding to the compliance burden is the presence of "double jeopardy." Members are not only responsible for their own PCI DSS compliance, but also the compliance status of their Merchants and Service Providers across all payment channels, including in-store, mail/telephone-order, and e-commerce.
PCI is a technical standard (not a regulation) that offers strong recommendations conforming to long-established security best practices. Complying with PCI makes good business sense in that it can result in a more reliable, streamlined IT infrastructure, improve service delivery, increase availability, and reduce risk? leading to improved customer confidence and loyalty, simplified auditing, and more effective cost controls.
The PCI requirements help Members, Merchants, and Service Providers protect their information assets and meet the obligations to the credit card companies' payment structure. The requirements include making certain that firewalls, routers, database servers and other critical systems assets adhere to the PCI DSS.
Tripwire software can help organizations comply with these requirements (specifically in the area of file integrity monitoring, firewall/router security compliance monitoring, and change control) by monitoring critical files and alerting appropriate personnel of any unauthorized changes. Section 10.5.5 requires "file integrity monitoring/change detection software on logs to ensure that existing log data cannot be changed without generating alerts." Tripwire can also maintain a record of all integrity checks and detected violations for audits, investigations, and historical reference, and can play a crucial role in effective disaster recovery, another PCI component.
Tripwire enables change control across the enterprise. With Tripwire software, changes are continually logged, and if security has been compromised, it enables rapid recovery to a known, good state. Tripwire has already helped a large number of credit card merchants and service pro- viders comply with security and data integrity solutions that have enabled them to successfully and efficiently pass a PCI audit.
Easier Audits
Tripwire reporting capabilities give PCI auditors the information needed to complete quarterly and annually required testing and reporting audits. Tripwire reports provide the proof required to verify compliance to internal change management policies and external
regulations. Not only is this insurance against the financial impact of fines, but also the time and resources needed to prepare for audits is reduced.
Change Visibility
Even if the IT infrastructure is perfectly in compliance with PCI, one small change to a server or network device can result in negative impacts if it's not properly detected and reported. Change can be accidental, benign, malicious, intentional in nature, and originate from inside or outside an organization. But without a way to know when change occurs, and whether it is desired or undesired, IT teams have few options for minimizing damage. By exposing unauthorized or unintended changes, Tripwire can provide the information necessary to validate internal processes?and enable rollback to compliant status.
Continuous Validation
Server and network device configurations may be subject to positive, authorized changes?code upgrades, new capacities, new hardware versions?which can be just as disruptive as unauthorized changes if not properly implemented.
