PCI Compliance-Are You On Board

Solution Brief PCI Compliance: Are You Onboard? Member financial institutions are responsible not only for their own compliance, but also for ensuring the compliance of their Merchants and Service Providers for all payment channels, including in-store, mail/telephone-order, and e-commerce. In 2005, high-profile credit card and credit data loss and compromise became so commonplace that the Washington Post dubbed it “the year of the data breach.” Long before that rash of events, however, Visa had developed the first major commercial standard for protection of cardholder data. Created in 2001, Visa’s Cardholder Information Security Program (CISP, also known as AIS (Account Information Security) internationally) defined a standard for securing Visa cardholder data for U.S. customers, wherever that data was located. In 2004, Visa and MasterCard collaborated to develop common security requirements. Based on CISP, the result was the Payment Card Industry Data Security Standard (PCI DSS). All Merchants and Service Providers (including international Visa members) that handle, transmit, store or process information concerning either of these cards, or related card data, were required to be compliant as of June 30, 2005. In September 2006, the PCI Security Standards Council released PCI Data Security Standard v1.1. PCI establishes stringent standards on how merchants process, store or transmit cardholder data. These standards are a set of comprehensive security requirements that combine technology, policies, education, and awareness as well as industry best practices into an integrated framework. Adding to the compliance burden is the presence of "double jeopardy." Members are not only responsible for their own PCI DSS compliance, but also the compliance status of their Merchants and Service Providers across all payment channels, including in-store, mail/telephone-order, and e-commerce. PCI is a technical standard (not a regulation) that offers strong recommendations conforming to long-established security best practices. Complying with PCI makes good business sense in that it can result in a more reliable, streamlined IT infrastructure, improve service delivery, increase availability, and reduce risk— leading to improved customer confidence and loyalty, simplified auditing, and more effective cost controls. Solution Brief How Tripwire Helps Companies Achieve PCI Compliance The PCI requirements help Members, Merchants, and Service Providers protect their information assets and meet the obligations to the credit card companies’ payment structure. The requirements include making certain that firewalls, routers, database servers and other critical systems assets adhere to the PCI DSS. Tripwire software can help organizations comply with these requirements (specifically in the area of file integrity monitoring, firewall/router security compliance monitoring, and change control) by monitoring critical files and alerting appropriate personnel of any unauthorized changes. Section 10.5.5 requires “file integrity monitoring/change detection software on logs to ensure that existing log data cannot be changed without generating alerts.” Tripwire can also maintain a record of all integrity checks and detected violations for audits, investigations, and historical reference, and can play a crucial role in effective disaster recovery, another PCI component. Tripwire enables change control across the enterprise. With Tripwire software, changes are continually logged, and if security has been compromised, it enables rapid recovery to a known, good state. Tripwire has already helped a large number of credit card merchants and service providers comply with security and data integrity solutions that have enabled them to successfully and efficiently pass a PCI audit. regulations. Not only is this insurance against the financial impact of fines, but also the time and resources needed to prepare for audits is reduced. Change Visibility Even if the IT infrastructure is perfectly in compliance with PCI, one small change to a server or network device can result in negative impacts if it’s not properly detected and reported. Change can be accidental, benign, malicious, intentional in nature, and originate from inside or outside an organization. But without a way to know when change occurs, and whether it is desired or undesired, IT teams have few options for minimizing damage. By exposing unauthorized or unintended changes, Tripwire can provide the information necessary to validate internal processes—and enable rollback to compliant status. Continuous Validation Server and network device configurations may be subject to positive, authorized changes—code upgrades, new capacities, new hardware versions—which can be just as disruptive as unauthorized changes if not properly implemented. Using Tripwire software, an IT team can look in a directory that contains their code and all configuration files to verify that changes were made correctly. For critical servers and devices, configuration tests may occur as often as every day, which can be a time-consuming and resource-intensive task. The automatic change detection and configuration validation of Tripwire software can save IT teams hours of valuable time every day. Without Tripwire configuration audit and control, a configuration mismatch or missed server could result in hours of troubleshooting, ending with manual intervention to determine the specific problem. With Tripwire software, the IT staff can immediately identify any configuration problems and frequently resolve them in a matter of minutes. Complying with PCI makes good business sense in that it can result in a more reliable, streamlined IT infrastructure, improve service delivery, increase availability, and reduce risk—leading to improved customer confidence and loyalty, simplified auditing, and more effective cost controls. Good for PCI, Good for Business Easier Audits Tripwire reporting capabilities give PCI auditors the information needed to complete quarterly and annually required testing and reporting audits. Tripwire reports provide the proof required to verify compliance to internal change management policies and external PCI DSS Requirements and Tripwire Solutions Tripwire configuration audit and control solutions help enable compliance with multiple sections in eight of the twelve PCI DSS requirements: PCI REQUIREMENT 1.1 1.2 1.3 Establish firewall configuration standards, including formal process for approving/testing changes Build firewall configuration that denies all traffic from un-trusted networks/hosts Build firewall configuration that restricts connections between publicly accessible servers and any system component storing sensitive data, including wireless networks Restrict inbound Internet traffic to IP addresses within the DMZ Not allowing internal addresses to pass from the Internet into the DMZ Restrict outbound traffic to that which is necessary for the payment card environment Deny all other inbound and outbound traffic not specifically allowed Prohibit direct public access between external networks and any system component that stores sensitive information Implement a DMZ to filter and screen all traffic, to prohibit direct routes for inbound and outbound Internet traffic Restrict outbound traffic from payment card applications to IP addresses within the DMZ Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet Develop configuration standards for all system components Implement only one primary function per server Disable all unnecessary and insecure services and protocols Configure system security parameters to prevent misuse Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems Keep cardholder information storage to a minimum. Develop a data retention and disposal policy Prevention of unauthorized substitution of keys Replacement of known or suspected compromised keys For wireless networks transmitting cardholder data, encrypt the transmissions by using Wi-Fi Protected Access HOW TRIPWIRE ADDRESSES Tripwire can detect and respond to any unauthorized changes to firewall rules. Tripwire monitors the state of firewalls and reports any changes to configuration files, rule sets and, where appropriate, the underlying OS on the firewall. Tripwire also provides automatable rollback capabilities to restore device configurations to a previously authorized state. In the event of an automated rollback, Tripwire retains a copy of the suspect configuration for analysis and/or later redeployment (roll forward) of the configurations. 1.3.1 1.3.2 1.3.5 1.3.7 1.4 1.41 1.42 1.5 2.2 2.2.1 2.2.2 2.2.3 2.2.4 3.1 3.6.7 3.6.8 4.1.1 Tripwire can detect any systems or network devices that are out of compliance with established standards. Tripwire can validate the removal of some types of data and this can be automated. (3.1) Tripwire can alert if keys that are held in a file are modified or substituted. (3.6.7) Tripwire can detect the substitution and track until the change is remediated. (3.6.8) Tripwire can search configuration files for required security settings and alert to deviations from defined policy. Once configuration files are in compliance, Tripwire will monitor and alert to any changes allowing review and validation of the change. All checks are recorded and reports which have evidence of ongoing monitoring and review can be created which reduce the audit effort from Project style to Activity style. Tripwire can detect systems with out-of-compliance signatures and can alert when the service is shut down. Tripwire is complementary to antivirus software, in that it does not rely on pattern-matching or definitions. In the event of a “day zero” attack, Tripwire will track and report on all changes that occur to systems. This includes systems without current virus definitions, as well as those systems damaged before a virus definition was available. This greatly shortens the quarantine and repair process for these systems. Tripwire validates that patches rolled out are actually deployed properly and it can identify any systems that are not correctly or fully patched. Tripwire is commonly used as part of the patch deployment process to validate that all target systems have been patched appropriately, consistently, and as expected. This ensures that there is an audit trail verifying that all expected patches have been implemented, as well as mitigating the risk of failed patches. This also provides an independent audit mechanism to ensure conformance to security standards. 5.1 Deploy antivirus mechanisms on all systems commonly affected by viruses 6.1 6.3.1 6.3.5 6.3.6 Ensure that all system components and software have the latest vendor-supplied security patches Testing of all security patches and system and software configuration changes before deployment Removal of test data and accounts before production systems become active Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers PCI REQUIREMENT 6.4 6.4.1 6.4.2 6.5.8 7.1 8.5 8.5.1 8.5.4 8.5.6 8.5.8 Follow change control procedures for system and software configuration changes Documentation of impact Management sign-of by appropriate parties Insecure storage Limit access to computing resources and cardholder information to only those individuals who job requires such access Ensure proper user authentication and password management for non-consumer users and administrators for all system components Control the addition, deletion, and modification of user IDs, credentials, and other identifier objects Immediately revoke access of terminated users Enable accounts used by vendors for remote maintenance only during the time needed Do not permit group, shared, or generic accounts/passwords HOW TRIPWIRE ADDRESSES 6.5.10 Insecure configuration management Tripwire can provide evidence this section is being enforced. Tripwire can detect new user IDs, as well as the modification or deletion of existing user IDs. 8.5.16 Authenticate all access to any database containing cardholder information. 10.1 Establish a process for linking access to system components to an individual user Tripwire can associate system changes to individual user accounts; this information is written to a Tripwire report file that cannot be tampered with. 10.2.7 Creation and deletion of system-level objects 10.3.1 User identification 10.3.2 Type of event 10.3.3 Date and time 10.3.5 Origination of event 10.3.6 Identity or name of affected data, system component, or resource 10.5 Secure audit trails so they cannot be altered in any way 10.5.1 Limit viewing of audit trails to those with a job-related need 10.5.2 Protect audit trail files from unauthorized modifications 10.5.5 Use file integrity monitoring/change detection software (such as Tripwire) on logs to ensure that existing log data cannot be changed without generating alerts 10.6 Review logs for all system components at least daily. Log review should include those servers that perform security functions like IDS and AAA servers Perform penetration testing on network infrastructure and applications at least once a year, and after any significant infrastructure or application upgrade or modification Use network intrusion detection systems, host-based intrusion detection systems, and/or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date Deploy file integrity monitoring to alert personnel to unauthorized modification of critical system or content files, and perform critical file comparisons at least daily (or more frequently if the process can be automated) 11.3 11.4 11.5 Tripwire solutions monitor file integrity across the entire enterprise as frequently as desired and provide robust, flexible reporting. Tripwire, particularly when integrated with an EMS as part of the change management process, can detect when unauthorized (out of process) changes are made to production systems. This aids in the enforcement and audit of security systems and processes to ensure that you are aware of situations when your systems and processes are circumvented. 12.1.3 Includes a review at least once a year and updates when the environment changes 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel 12.9.2 Test the incident response plan at least annually 12.9.5 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems Tripwire helps monitor changes that may indicate violations of policy, e.g., internal users making unauthorized changes. To aid incident response and recovery, Tripwire can automatically trigger third-party tools to immediately restore systems to their last “known and trusted” state. Solution Brief Services to Help Organizations Develop Compliance Processes Ensuring your compliance processes will help you pass audits requires more than software. It calls for expertise and deep knowledge of data, devices, and how change occurs. Tripwire Professional Services contributes this expertise to help organizations quickly maximize the benefits of their Tripwire change audit solutions. From initial network discovery to policy file writing and customization, Tripwire’s experienced consultants work to ensure that your change management and documentation processes are up and running as quickly and effectively as possible. www.tripwire.com US TOLL FREE: 1.800.TRIPWIRE MAIN: 503.276.7500 FAX: 503.223.0182 326 SW Broadway, 3rd Floor Portland, OR 97205 USA ©2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other trademarks and company names are property of their respective owners. All rights reserved. SBPCI5