PCI: Thinking Beyond the Checkbox

2

Webinar Agenda

The Girl Scouts of Northern California PCI DSS Requirement 11 Top Considerations for Requirement 11 The Joys of Continuous Compliance Going Beyond PCI With Change Detection Forward Thinking to PCI DSS 3.2 How Tripwire Can Help

Glenn RogersCIO

Girl Scouts of Northern California

Tim ErlinDir. IT Risk and

Security StrategistTripwire

3

Girl Scouts of Northern CAPCI Overview

Payment Card Environment Audit Process Change Detection/Management Penetration Testing

4

PCI DSS Requirement 11What’s included?

Requirement 11Regularly Test Security Systems and Processes

Process and Procedure Acquire Tools/Vendors Testing

• Wireless Access Points ( Identify, Inventory, Monitor, Incident Response Plan)

• Internal and External Vulnerability Scanning

• Penetration Testing• Segmentation• Intrusion Detection• Change Detection• Security Policies

• Wireless scanning• Vulnerability scanning• Penetration testing• Network access control• Intrusion

detection/prevention• Change detection/File

Integrity Monitoring

• Don’t go into an audit without knowing what the results will be!

• Test network segmentation• Get Penetration Testing

results and take action

5

Requirement 11 Challenges & Considerations

Identify vulnerability scan vendor Scan, remediate & re-scan until “high-risk” vulnerabilities are resolved

“Scans… by qualified personnel.”

Scan and test after each change Network topology, firewall rules, VPN egress, product/software

updates

Intrusion detection Alerts

Change detection (FIM) Alerts

What are critical files?

Weekly? Or daily?

6

Joys of Implementing Continuous Compliance

No off days

Constant updates and monitoring are essential Security updates, intrusion detection & prevention engines up-to-date

Signatures up-to-date

Baselines Device configs

Files

Coordination & communication Between teams

Change management

7

Going Beyond PCI Checklist Inherent Value of Change Detection

Security vs. Compliance Greater security through more timely detection (Daily vs. Weekly

assessment)

Using change detection data to identify suspicious or malicious changes

Operational benefits Savings in time (Less time spent researching changes that have

occurred)

Savings in time through change reconciliation (details of changes are already documented, easily matched to changes in environment)

8

Forward Thinking on PCI DSS 3.2 Considerations for Planning

PCI DSS 3.2: 6.4.6: Change Control Verification

Validation of PCI compliance after changes

Best practice now, required after January 31, 2018

8.3: Multi-Factor Authentication Expanded requirement for systems/personnel

Best practice now, required after January 31, 2018

Service providers Detect & report security control failures

Penetration testing every 6 months

Establish responsibilities

Clarifications on Encryption No new deployments of SSL or TLSv1.0

Remove all SSL and TLSv1.0 by June 30, 2018

9

Tripwire Can Help with all of the 12 Requirements1: Build and Maintain a

Secure Network

2: Protect Cardholder Data

3: Maintain a Vulnerability Management

Program

4: Implement Strong Access

Control Measures

5: Regularly Monitor and Test

Networks

6: Maintain an Information

Security Policy

Requirement 1: Install and maintain

a firewall configuration to

Protect Cardholder Data

Requirement 3: Protect stored

cardholder data

Requirement 5: Protect all systems against malware and regularly update anti-

virus software or programs

Requirement 7: Restrict access to cardholder data by business need to

know

Requirement 10: Track and monitor

all access to network resources

and cardholder data

Requirement 12: Maintain a policy that addresses information

security for all personnel

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security

parameters

Requirement 4: Encrypt transmission

of cardholder data across open, public

networks

Requirement 6: Develop and maintain secure systems and

applications

Requirement 8: Identify and

authenticate access to system

components

Requirement 11: Regularly test

security systems and processes

Requirement 9: Restrict physical

access to cardholder data

ValidatesProvidesSupports

10

The Tripwire PCI Compliance Solution

PCI Council validated Approved Scanning Vendor

Enterprise class vulnerability management and discovery

Secure and reliable log collection, correlation and forwarding.

Enterprise class file integrity monitoring, change detection and policy compliance.

11

Tripwire and PCI DSS 3.2Addressing 3.2 with Tripwire Products

6.4.6Change Control Verification

8.3Multi-Factor Authentication

10.8, 11.3.4.1, 12.11Service Provider Requirements

2.2.3, 2.3, 4.1Strong Encryption Requirements

Tripwire can automate the validation of PCI DSS compliance on systems after a change.

Tripwire validate that multi-factor authentication is in place on systems in the CDE.

Tripwire can validate that newly required controls are in place for service providers.

Tripwire can discover and identify the encryption in use, as well as validate its compliance with PCI requirements.

12

It’s Not Just About PCIIntegration, automation with business context

Continuous Monitoring

Risk Reduction

Threat Detection and Response

Operational Cost Reduction

INTEGRATION

AUTOMATION

13

Tripwire delivers advanced threat protection, security, and compliance solutions

Thank You and Questions