Professional Documents
Culture Documents
WHITE PAPER
Executive Summary
As the Payment Card Industry Data Security Standard (PCI Lastly, the white paper discusses how the Tripwire VIA™
DSS, or PCI) becomes more widely adopted in both the suite of IT security and compliance automation solutions
United States and Europe, organizations face five major help organizations get and maintain continuous PCI compli-
challenges when navigating the PCI compliance landscape: ance so you can take control of security and compliance
• Misunderstanding what the term “PCI compliance” means of your IT infrastructure. Tripwire VIA solutions include
in a given context; Tripwire® Enterprise for configuration control and Tripwire®
Log Center for log and security event management. And
• Treating PCI compliance as an audit process rather than a
Tripwire Customer Services can help you quickly maximize
private industry standard;
the value of your Tripwire technology implementation.
• Scoping PCI compliance too broadly;
With Tripwire, get visibility across the entire IT infrastruc-
• Treating PCI compliance as a single-point-in-time, rather ture, intelligence to enable better and faster decisions, and
than ongoing activity; and automation that reduces manual, repetitive tasks.
• Failing to use automated tools to generate evidence of
continuous compliance.
This white paper discusses these challenges in-depth, along
with their implications. It also provides a plan of action
that organizations subject to PCI can take to address com-
pliance needs.
For a standard that has only formally existed for about five typical use of the term when discussing PCI with retail
years, the Payment Card Industry Data Security Standard executives, although it is probably the least accurate.
(PCI DSS, or PCI) is making astonishingly rapid progress. In 3. Satisfying the registration requirements of each of the
the United States, depending on whose statistics you read, major card brands—chiefly VISA, MasterCard and AMEX—
anywhere from 50–80 percent of large retail companies are by submitting various forms or other necessary informa-
validated as compliant; even second tier organizations are tion according to each association’s rules. This use of the
roughly estimated around the 50 percent mark in terms term is the most common, even though the related pro-
of adoption. PCI is making headway in Europe as well, cess has little to do with the actual PCI.
although adoption is not uniform across the continent, with
Unfortunately, inconsistent use of “PCI compliance” often
the United Kingdom exhibiting the highest levels of PCI
leads to significant confusion and frustration. For example,
compliance and awareness.
an organization may satisfy all PCI controls yet not be
In fact, PCI has attained such wide adoption that many
registered with a card association. As a result, that card
consider it a de-facto standard of due care in the retail
association does not consider the organization to be in com-
industry. Although a private industry rather than legal
pliance—even when another association has accepted and
standard, many organizations treat PCI as a regulatory
validated the registration. When discussing PCI compliance
requirement—an approach that frequently creates an
with IT, an internal auditor, an assessor, an acquiring bank,
unnecessary burden on IT. Based on well-established securi-
or an association, you must keep in mind the context for
ty best practices, such as ISO17799, PCI is not a compliance
the discussion.
program, but rather a technical best practices standard for
The following example demonstrates why context is
the protection of sensitive data, not just credit card data.
important. Often third-party service providers serve retail-
This white paper will examine five major challenges
ers, but have no direct relationship with any of the card
organizations face when navigating the PCI compliance
brands. The service provider does not handle payments by
landscape—issues pertaining to the entire PCI compliance
credit card, yet they do transmit or store their retail cli-
lifecycle, including pre- and post-compliance challenges,
ents’ credit card data. In this familiar circumstance, the
with a focus on clarifying certain common but crucial mis-
service provider organization, which may well satisfy all
understandings of the PCI compliance process.
the PCI DSS controls, cannot directly register with the
associations. Such an organization is certainly PCI compli-
CHALLENGE #1: LACK OF ORGANIZATIONAL
UNDERSTANDING AND COMMITMENT ant, but it is not Cardholder Information Security Program
(CISP), Site Data Protection Program (SDP) or Data Security
The lack of clarity regarding the term “PCI compliance”
Operating Policy (DSOP) compliant. Unfortunately, most
is one fundamental challenge. In fact, the term can mean
potential retail clients cannot make this distinction, and
one of several things, depending on the context in which
therefore consider the service provider organization non-PCI
it is used:
compliant—an unfortunate assumption that may lead to
1. Satisfying the requirements listed in the PCI DSS techni- significant loss of potential revenue for the service provider.
cal standard itself. This is the most accurate—but ironi- Worse yet, the service provider in the above scenario
cally the least utilized—definition. cannot resolve the issue without working with one of their
2. Undergoing a successful external examination or assess- merchant client’s acquiring bank to sponsor the service
ment by a third party, called a Qualified Security Assessor provider’s registration. However, the service provider and
(QSA), that has been certified by the PCI Standards the acquiring bank or card association have no business
Council. The PCI Standards Council is a body created relationship, so the bank will not want to accept the related
specifically to maintain the technical standard. This is a liability. Ironically, the retail client in question will also be
considered out of compliance due to PCI requirement 12.8.
©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPFPC1b