In September 2006, the Payment Card Industry (PCI) Security Standards Council released the PCI Data Security Standard (DSS) v1.1. This regulation required member financial institutions to be responsible for their own compliance, as well as ensuring the compliance of their merchants and service providers for all payment channels, including in-store, mail/telephone order, and e-commerce. Several months later, Visa set new compliance deadlines for Level 1 and 2 merchants, and initiated a reclassification that moved many Level 3 and 4 merchants to Level 2. The pressure to validate compliance is on! Why is this happening? In short?data security breaches. In 2005, high-profile credit card and credit card data loss became so commonplace that the Washington Post dubbed it "the year of the data breach." Since then, the situation has actually deteriorated. According to a 2006 Network World article, data broker ChoicePoint "reported $11.4 million in related charges" after exposing 145,000 customer accounts. Factoring in the cost of subsequent system and process modifications, research firm Gartner estimated the cost to ChoicePoint at around $90 per exposed account, or over $13 million.
Wired.com reported in 2007 that losses at retail giant TJX (TJ Maxx, etc.) may have topped this many times over. Data security vendor Protegrity estimates losses approaching $1.7 billion for the data breach of some 45.7 million credit card numbers. In the report, "Calculating the Cost of a Security Breach" (April, 2007), Forrester Research Inc., calculates a security breach can cost retailers between $90 and $305 per record, arising from discovery, response and notification; lost productivity; lost opportunity; restitution costs; replacements; and potentially serious fines. What can be done to improve compliance and decrease enterprise-wide vulnerabilities? Deploy the leading configuration audit and control solution: Tripwire Enterprise. It enables companies to detect, analyze and remediate unauthorized changes and many other weaknesses that may otherwise go unnoticed, thereby improving data protection and satisfying the file integrity monitoring and change control requirements outlined in the PCI DSS.
Many requirements in the PCI DSS focus on the ability to monitor and report on changes made across the IT environment. The standard not only requires that you achieve a secure state for you cardholder data, but that you're able to prove that the secure state doesn't change over time.
Configuration Audit and Control Solutions from Tripwire help validate these PCI requirements by:
Confirming access to computing resources and cardholder data is limited to the proper individuals
Validating that patches are deployed properly
Alerting you to unauthorized changes to firewall rules
Ensuring wireless network security policies are not circumvented
Detecting new, modified, or deleted user IDs
Maintaining file integrity across the entire enterprise
