taking the pain out of pci compliance
TRANSCRIPT
![Page 1: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/1.jpg)
Taking the Pain out of PCI ComplianceApril 14, 2016
Aaron WarnerSystems Engineer Manager, CISSP
![Page 2: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/2.jpg)
2
Agenda
1. Tripwire PCI Products and Where Tripwire can Help
2. Top 3 PCI Mistakes with the focus on Tripwire Enterprise
3. Tripwire Enterprise PCI Demo
4. Q & A
![Page 3: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/3.jpg)
3
The Tripwire PCI Compliance Solution
PCI Council validated Approved Scanning Vendor
Enterprise class vulnerability management and discovery
Secure and reliable log collection, correlation and forwarding.
Enterprise class file integrity monitoring, change detection and policy compliance.
![Page 4: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/4.jpg)
4
Tripwire Can Help with all of the 12 PCI 3.1 Requirements1: Build and Maintain a
Secure Network
2: Protect Cardholder Data
3: Maintain a Vulnerability Management
Program
4: Implement Strong Access
Control Measures
5: Regularly Monitor and Test
Networks
6: Maintain an Information
Security Policy
Requirement 1: Install and maintain a firewall configuration to Protect Cardholder
Data
Requirement 3: Protect stored
cardholder data
Requirement 5: Protect all systems against malware and regularly update anti-
virus software or programs
Requirement 7: Restrict access to cardholder data by business need to
know
Requirement 10: Track and monitor
all access to network resources
and cardholder data
Requirement 12: Maintain a policy that addresses information
security for all personnel
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters
Requirement 4: Encrypt transmission
of cardholder data across open, public
networks
Requirement 6: Develop and maintain secure systems and
applications
Requirement 8: Identify and
authenticate access to system
components
Requirement 11: Regularly test
security systems and processes
Requirement 9: Restrict physical
access to cardholder data
ValidatesProvidesSupports
![Page 5: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/5.jpg)
5
TOP 3 Mistakes that Provide PCI Pain
1. Set and Forget FIM (File Integrity Monitoring)
2. Periodic PCI Assessment
3. Applying Only a PCI Solution and Not Leveraging the Product for Security
![Page 6: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/6.jpg)
6
Mistake #1 Set and Forget File Integrity MonitoringPCI 3.1 Authorized Changes?
Why is this important?
How are Authorized Changes Determined?
![Page 7: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/7.jpg)
7
Authorized ChangesWhat is this ITIL thing?
1. IT Best Practices2. System Changes Best Practices
• Change Windows• Change Management Ticketing Systems• Test Environments
Phase 1 – Stabilize Patient, Modify First Response
Almost 80% of outages are self-inflicted. The first step is to control risky changes and reduce MTTR by addressing how changes are managed and how problems are resolved.
![Page 8: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/8.jpg)
8
Mistake #2 Periodic PCI AssessmentCurrent State of PCI Affairs
Only one third sustain compliance
year over year
Verizon 2015
NEED CONTINUOUS COMPLIANCE
![Page 9: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/9.jpg)
9
The Cost of Point-in-Time ComplianceC
hang
e in
sys
tem
s, p
roce
sses
, or o
pera
tions
Time
Audit
Exceptional effort to achieve compliance results in passing an audit.
Configuration drift decreases compliance Result is more exceptional effort
![Page 10: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/10.jpg)
10
Continuous Compliance Lowers CostsC
hang
e in
sys
tem
s, p
roce
sses
, or o
pera
tions
Compliance Audit Deadline or
Security Event
Quarterly Audit Review or Security Assessment
Continuous Security and Compliance
Lowers Cost Increases Efficiency Increases Security Reduces Risk
![Page 11: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/11.jpg)
11
Mistake #3 Applying only a PCI solution and not leveraging the product for Security
AND
![Page 12: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/12.jpg)
IT SECURITY & COMPLIANCE AUTOMATION
Audit Change
Enhanced File Integrity MonitoringAudit Change & Assess Compliance
Tripwire Enterprise Console
Detection Engine
Baseline Critical system, configuration
& content files
Change ChangeChange Assess
Compliance
Was it compliant?Was it authorized?
Directory Services
DesktopsFile Systems Network Devices
Databases Hypervisors Applications
![Page 13: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/13.jpg)
13
Tripwire PCI Difference
Most proven & trusted track record Tripwire was written in the original spec Auditors know & love Tripwire
Most robust SCM offering for PCI Deep change expertise Best of breed FIM Continuous compliance & highly
automated, audit-ready reports Dedicated POS Threat Protection Broadest platform support Innovative product integrations with other
providers for greater efficiency
Best PCI expertise cross the entire customer experience.
![Page 15: Taking the Pain out of PCI Compliance](https://reader036.vdocuments.mx/reader036/viewer/2022062503/58ed97fb1a28ab8e598b4695/html5/thumbnails/15.jpg)
Thank You!