Five challenges to continuous PCI compliance are misunderstanding what PCI compliance means, treating it as an audit process rather than a standard, scoping compliance too broadly, treating it as point-in-time rather than ongoing, and failing to automate tools to generate evidence of compliance. Organizations should view PCI as a security best practice rather than a compliance program and work to continuously reduce their sensitive data scope.

1. Five Challenges to Continuous
PCI DSS Compliance
WHITE PAPER

2. Executive Summary
As the Payment Card Industry Data Security Standard (PCI Lastly, the white paper discusses how the Tripwire VIA™
DSS, or PCI) becomes more widely adopted in both the suite of IT security and compliance automation solutions
United States and Europe, organizations face five major help organizations get and maintain continuous PCI compli-
challenges when navigating the PCI compliance landscape: ance so you can take control of security and compliance
• Misunderstanding what the term “PCI compliance” means of your IT infrastructure. Tripwire VIA solutions include
in a given context; Tripwire® Enterprise for configuration control and Tripwire®
Log Center for log and security event management. And
• Treating PCI compliance as an audit process rather than a
Tripwire Customer Services can help you quickly maximize
private industry standard;
the value of your Tripwire technology implementation.
• Scoping PCI compliance too broadly;
With Tripwire, get visibility across the entire IT infrastruc-
• Treating PCI compliance as a single-point-in-time, rather ture, intelligence to enable better and faster decisions, and
than ongoing activity; and automation that reduces manual, repetitive tasks.
• Failing to use automated tools to generate evidence of
continuous compliance.
This white paper discusses these challenges in-depth, along
with their implications. It also provides a plan of action
that organizations subject to PCI can take to address com-
pliance needs.
2 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance

3. Introduction
For a standard that has only formally existed for about five typical use of the term when discussing PCI with retail
years, the Payment Card Industry Data Security Standard executives, although it is probably the least accurate.
(PCI DSS, or PCI) is making astonishingly rapid progress. In 3. Satisfying the registration requirements of each of the
the United States, depending on whose statistics you read, major card brands—chiefly VISA, MasterCard and AMEX—
anywhere from 50–80 percent of large retail companies are by submitting various forms or other necessary informa-
validated as compliant; even second tier organizations are tion according to each association’s rules. This use of the
roughly estimated around the 50 percent mark in terms term is the most common, even though the related pro-
of adoption. PCI is making headway in Europe as well, cess has little to do with the actual PCI.
although adoption is not uniform across the continent, with
Unfortunately, inconsistent use of “PCI compliance” often
the United Kingdom exhibiting the highest levels of PCI
leads to significant confusion and frustration. For example,
compliance and awareness.
an organization may satisfy all PCI controls yet not be
In fact, PCI has attained such wide adoption that many
registered with a card association. As a result, that card
consider it a de-facto standard of due care in the retail
association does not consider the organization to be in com-
industry. Although a private industry rather than legal
pliance—even when another association has accepted and
standard, many organizations treat PCI as a regulatory
validated the registration. When discussing PCI compliance
requirement—an approach that frequently creates an
with IT, an internal auditor, an assessor, an acquiring bank,
unnecessary burden on IT. Based on well-established securi-
or an association, you must keep in mind the context for
ty best practices, such as ISO17799, PCI is not a compliance
the discussion.
program, but rather a technical best practices standard for
The following example demonstrates why context is
the protection of sensitive data, not just credit card data.
important. Often third-party service providers serve retail-
This white paper will examine five major challenges
ers, but have no direct relationship with any of the card
organizations face when navigating the PCI compliance
brands. The service provider does not handle payments by
landscape—issues pertaining to the entire PCI compliance
credit card, yet they do transmit or store their retail cli-
lifecycle, including pre- and post-compliance challenges,
ents’ credit card data. In this familiar circumstance, the
with a focus on clarifying certain common but crucial mis-
service provider organization, which may well satisfy all
understandings of the PCI compliance process.
the PCI DSS controls, cannot directly register with the
associations. Such an organization is certainly PCI compli-
CHALLENGE #1: LACK OF ORGANIZATIONAL
UNDERSTANDING AND COMMITMENT ant, but it is not Cardholder Information Security Program
(CISP), Site Data Protection Program (SDP) or Data Security
The lack of clarity regarding the term “PCI compliance”
Operating Policy (DSOP) compliant. Unfortunately, most
is one fundamental challenge. In fact, the term can mean
potential retail clients cannot make this distinction, and
one of several things, depending on the context in which
therefore consider the service provider organization non-PCI
it is used:
compliant—an unfortunate assumption that may lead to
1. Satisfying the requirements listed in the PCI DSS techni- significant loss of potential revenue for the service provider.
cal standard itself. This is the most accurate—but ironi- Worse yet, the service provider in the above scenario
cally the least utilized—definition. cannot resolve the issue without working with one of their
2. Undergoing a successful external examination or assess- merchant client’s acquiring bank to sponsor the service
ment by a third party, called a Qualified Security Assessor provider’s registration. However, the service provider and
(QSA), that has been certified by the PCI Standards the acquiring bank or card association have no business
Council. The PCI Standards Council is a body created relationship, so the bank will not want to accept the related
specifically to maintain the technical standard. This is a liability. Ironically, the retail client in question will also be
considered out of compliance due to PCI requirement 12.8.
3 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance

4. This requirement states that if the merchant shares card- policy only stated that old hard copy with cardholder
holder data with a service provider, it must implement and data would be “shredded” rather than “cross-shredded.”
maintain policies and procedures to manage that service Hopefully such cases no longer occur, but the example
provider, which includes ensuring the service provider is PCI does demonstrate the impact of having equal weight and
compliant. Until this process is complete, the merchant is binary compliance.
subject to potential fines and censures—a curious chicken- • Third, assessors do not have a rigid auditing standard
and-egg scenario that could be challenging, especially for they must follow and by which they are judged; each can
smaller third party service providers that are attempting to approach the evaluation process differently, as long as
gain market share. they satisfy the specific technical test criteria defined
MasterCard has in some cases tacitly worked around within the standard. This lack of uniform evaluation
this issue in the past couple of years by accepting direct likely contributes significantly to the common belief that
registrations through submissions from certain QSAs. In any two PCI QSAs will likely reach different conclusions
contrast, VISA has insisted on the formal process, resulting when assessing the same organization. In an attempt
in cases where MasterCard’s list of compliant service provid- to remedy this issue, a detailed “scoring chart” that a
ers includes organizations not on VISA’s list. Fortunately, QSA must follow when assessing compliance was recently
both associations recently have begun pushing large acquir- released. Unfortunately, the chart does little to solve the
ing banks to handle these registrations when they learn of underlying issue, as it merely provides for the necessary
these service providers. Hopefully this added pressure will minimum evidence to be checked rather than requiring
alleviate this issue. a comprehensive audit or a centralized system of record.
Often, merchants “put their best foot forward,” provid-
CHALLENGE #2: PCI AS AN AUDIT PROCESS
ing a QSA with the systems and evidence they would like
A separate issue facing organizations subject to PCI com- examined rather than the QSA assessing a true random
pliance results from the tendency toward treating PCI sample. And with no legal foundation and significant
compliance as an audit process. Although a PCI assessment pressure to drive down costs between competing QSA’s, a
resembles a regulatory audit to some degree, organizations lack of significant competition around cost, this approach
should not treat it as such for several reasons: frequently works—especially because the QSA’s work is
• First, because PCI is not a law, but rather a private indus- made easier and it eliminates any liability the QSA might
try standard, the level of risk associated with PCI compli- otherwise carry.
ance differs from meeting, for example, a financial report- • Last, because QSAs usually work as consultants rather
ing rule in a regulation. than independent auditors, they often want to assess
• Second, PCI assessments function more as a “spot-check” organizations while also helping them become compliant.
than an actual full-blown record examination, with no This situation creates a powerful, inherent conflict of
account for a system of record or distinction between key interest and likely impacts assessment results. Worse, from
and other controls. In fact, PCI is entirely binary in two the client’s perspective, assessors end up with too much
senses: all controls have equal weight, and they must all power; they can end up running the show and decreeing
be satisfied in order to be compliant. While compensating sets of their preferred solutions that would “guarantee
controls can be listed and approved, there is no “percent- compliance,” hinting that the merchant had better do
age compliance” threshold that can be crossed; you’re what they say—or fail.
either compliant, or you are not. These issues distract from the simple fact that the PCI is
In one early case, an internal auditor at one association an extremely well-developed standard for protecting sensi-
rejected a large organization’s entire submission when the tive data, although it’s important to note that the standard
auditor noticed that the organization’s data destruction assumes that a data classification effort has taken place and
4 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance

5. that “cardholder data” has been defined as “sensitive.” As natural result of such improper delegation; as discussed
such, PCI provides organizations a foundation for developing earlier, PCI audits are anything but a formal, uniform audit
an enterprise data security strategy, and one that is much process. Also, many compliance officers are former auditors,
easier to initially adopt than a major framework such as based on the thinking that to best address compliance one
COBIT, a standard such as ISO17799, or a regulation such as should put an auditor in charge.
the Data Protection Act (DPA). Instead, one should approach PCI compliance with two
Many organizations now possess electronic data assets intertwined goals in mind: reduction of risk and scope.
well beyond private consumer information. With this tre- When discussing reduction of scope, it’s natural to consider
mendous volume of data assets, treating PCI as a blueprint the word “scope” as referring to compliance. For PCI, scope
for protecting those assets makes perfect sense, as it allows refers instead to “sensitive data.” In relationship to risk,
the organization to capitalize on PCI-related investments the less sensitive data an organization maintains, the lower
elsewhere. For example, an organization could extend most the organization’s risk associated with that data.
PCI controls to its systems out of scope for PCI. By doing This principle applies, of course, to all kinds of sensitive
so, the organization standardizes its security efforts and data. Corporations generally focus on the sensitivity of cor-
reduces the overall cost of protecting additional systems. In porate records such as financial results or legal agreements,
other words, if you have to do something anyway, and it’s and understand that protecting those records effectively
beneficial, why not extend those benefits everywhere? In begins with limiting their distribution. Corporate managers
one instance, a large fashion retailer reduced the number instinctively understand the concept of data classification
of key controls to implement for SOX by over 70 percent by when it comes to these kinds of records; some data is really
extending PCI controls to their financial system. sensitive and we want to keep it safe. They understand that
In some cases PCI compliance can even drive bottom- keeping data safe involves ensuring it isn’t left carelessly on
line benefits. Returning to the third-party service provider someone’s desk, emailed to large distribution lists, or cop-
example above, merchants might be more willing to sign on ied over to file systems that everyone in the company can
the dotted line with a service provider that had voluntarily access. For these individuals, this important understanding
complied with PCI and had undergone a formal assessment of sensitive data already exists; to drive home the concept
from a well-recognized QSA, even when the merchant is not of reduction of scope they only need to apply that same
forced to do so by the card brands. For the service provider, mindset to PCI “cardholder data.”
this ability to execute faster and reduce the sales cycle is In most retail organizations that attempt to comply with
a tremendous benefit. It is easy to conceive of many such PCI, cardholder data initially seems to be everywhere. It’s
scenarios; for example, a hosting provider with a segregated on the point-of-sale and merchandizing systems, financial
PCI compliant environment within their data center. For one reporting systems, accounting excel spreadsheets, loss pre-
outsourced e-commerce service provider, the ability to offer vention systems and investigation records, files with paper
a “PCI certified” environment translated to a significant records, receipts, emails, laptops… the list is endless. Sadly,
reduction in the sales cycle. the question these organizations usually ask first is “How
do we comply with PCI for all this?” Instead, they should be
CHALLENGE #3: SCOPING COMPLIANCE TOO BROADLY asking “Where can we eliminate the use of such data?”
Not surprisingly, an organization can get overzealous about By eliminating credit card account numbers from every
PCI. Put an internal auditor on the task of becoming com- storage mechanism where these numbers should not reside,
pliant and you will quickly be inundated with forms, tests, the organization gains several major benefits. The first is
checks, requests for evidence, and spreadsheets with tiny a dramatic reduction in compliance scope and associated
print listing missing controls—a far greater scope for PCI liability and risk. Ideally, actual card numbers should reside
than even the writers of the standard intended. This is a only in one central system, such as the merchandizing
5 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance

6. system (consider it the “PCI system of record”). All other been sampled and passed while other areas are in the pro-
functions, including sales audit, loss prevention, and so on, cess of being assessed. This situation results in the curious
that may require the occasional card number can be driven conundrum of the organization becoming non-compliant at
largely by the use of alternative mechanisms, such as utiliz- the time of being validated by the assessor.
ing cryptographic hashes instead of actual account numbers Many organizations thus end up subscribing to the view
for transaction searches. Furthermore, the benefits of going that the assessment is something that they need to pass
through the scope reduction exercise can be even greater if annually. Over time, these organizations become highly
the principle is then carried over to other forms of sensitive trained in producing the correct set of evidence to get
data. Ultimately this exercise in reducing scope can make validated for compliance, regardless of their actual PCI com-
the entire company much better at handling its electronic pliance posture.
data assets of all kinds. In one case, proper scoping resulted
in a revised budget of $400K instead of over $2M, and a CHALLENGE #5: FAILURE TO AUTOMATE
reduction of three-fourths in the time needed to attain All of these issues are non-material until a breach occurs.
compliance. That, however, is when the entire game changes. Following
a breach, the card association will send its own assessor,
CHALLENGE #4: THE FALLACY OF POINT IN TIME usually paid for by the merchant, but this time with the
COMPLIANCE
unspoken goal of disproving compliance at the time of
Another self-defeating but prevalent approach is that of breach. And for the first time the assessor will assume the
“least-effort compliance.” An organization that views PCI role of auditor, not only checking for compliance based on a
compliance as simply something the organization must do, current sample of evidence, but examining it over the entire
without understanding how it otherwise contributes to the duration of time leading up to and following the breach.
business, will naturally do the minimum necessary to attain It is easy to imagine that they will find numerous controls
compliance. that may not have been in compliance at one point or
This approach poses a number of significant risks. another, or simply not find any supporting evidence at all.
Because a PCI assessment is very limited in nature, it is Since PCI compliance is binary, the conclusion would be
easy to present an assessor with targeted evidence to that the organization had not been compliant at the time
ensure compliance. Often, and especially in cases where the of the breach, regardless of whether their compliance had
assessor also serves as the consultant on how to pass the been validated by an external assessor beforehand. This
assessment, it is extremely hard to avoid a form of collu- conclusion opens the door to a number of liabilities, includ-
sion between the client and the assessor that results in a ing fines and other sanctions, depending on how far the
tendency to ignore, make exceptions for, or explain away association feels they can go with the particular entity in
non-compliant elements. question.
The nature of PCI compliance as relying on an annual, An excellent way to avoid much of this problem is the use
point-in-time assessment also contributes to the “illusion of automated evidence collection tools. Not only do such
of compliance” problem. PCI compliance, except in certain tools normally have significant operational benefits—includ-
narrow areas such as quarterly scanning, looks at the here- ing early detection of breaches, a major factor in limiting
and-now. Unlike a full audit, there is no actual requirement risk—but they can prove that the organization had continu-
to prove that all controls have been in place for an entire ous compliance, rather than point-in-time compliance, as
year, but rather that they are in place when sampled during assessments do. The organization’s bargaining position when
the assessment. Even failed quarterly scans can generally be dealing with the association is therefore greatly improved,
explained away if the most recent scan before an assessment and avoiding a half million-dollar fine is enough to easily
shows a passing result. Another issue is that an organiza-
tion often falls out of compliance in areas that had already
6 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance

7. justify the cost of several such tools, though breaches often
lead to more than a single fine.
How Tripwire Helps
Since PCI is very detailed in terms of required technical Tripwire IT security and compliance automation solu-
and operational controls, it is virtually impossible to remain tions go beyond directly addressing requirements like PCI
compliant without such tools. But most of these tools also Requirements 10.5 and 11.5. In fact, assessors recognize
bring side benefits, such as catching unauthorized changes, that when the Tripwire VIA™ suite is in use, they can
detecting reliability and performance issues, or simply indi- assume that the organization being audited has already sat-
cating suboptimal configurations in operational systems. isfied specific PCI assessment criteria. In addition, Tripwire
Note that compliance in and of itself can’t stop a breach solutions automate mission-critical operational and analysis
from happening, although having security controls in place tasks around system changes, while providing strong proof
will certainly reduce the breach to detection gap from of compliance for auditors and legal discovery.
week and months to minutes and hours. That is powerful. To date, Tripwire has helped over 7000 organizations
Unfortunately, the old security adage that “the only safe worldwide meet compliance requirements and secure their IT
system in a network is one that is not connected” still holds infrastructure with industry leading IT security and compli-
true. However, PCI compliance, because it is essentially a set ance automation solutions. These solutions include Tripwire
of security best practices, can contribute significantly to the Enterprise for configuration control and Tripwire Log Center
organization’s overall security posture. for log and event management. Tripwire Enterprise delivers
proven file integrity monitoring, compliance policy man-
agement, real-time intelligent assessment of change with
What you should do Change IQ capabilities, and one-touch access to remediation
From the discussion to this point, you can draw several useful guidance to meet the PCI DSS configuration and change
conclusions and begin to form a compliance plan of action: process controls. Tripwire Log Center, an all-in-one log and
1. PCI as a best practice. Where they make sense, plan to event management solution meets the log management
expand relevant PCI controls to other areas of the organi- requirements of the PCI DSS and through it’s built-in inte-
zation; this will help with other compliance programs. gration with Tripwire Enterprise further enhances security
with security event data on changes flagged for review by
2. Scoping before compliance. Identify all cardholder data
Tripwire Enterprise.
flows and storage systems before looking at the PCI DSS,
Together, Tripwire Enterprise and Tripwire Log Center pro-
and then eliminate as many of them as possible.
vide a broad solution for ensuring PCI DSS compliance and
3. Controlling the compliance process. Avoid hiring your
reducing an organization’s security risk.
auditor to assess and consult on how to pass their audit.
Instead, rely on proven PCI expertise to help you work
through the compliance process. Similarly, try to avoid
putting an auditor in charge of PCI compliance, unless
they have significant and specific PCI expertise.
4. PCI is ongoing. Do not fall into the “annual check-
point” mindset, but treat PCI compliance as a continuous
process.
5. Automation and centralization. Plan to invest in both
automation and centralization, with an eye towards col-
lection and review of evidence. This investment will pro-
vide the best coverage following a breach, but will also
provide significant operational benefits.
7 | WHITE PAPER | Five Challenges to Continuous PCI DSS Compliance

8. ABOUT TRIPWIRE
Tripwire is a leading global provider of IT security and compliance automation solutions that help businesses and
government agencies take control of their entire IT infrastructure. Thousands of customers rely on Tripwire’s integrated
solutions to help protect sensitive data, prove compliance and prevent outages. Tripwire® VIA™, the comprehensive
suite of industry-leading file integrity, policy compliance and log and security event management solutions, is the way
organizations can proactively achieve continuous compliance, mitigate risk and improve operational control through
Visibility, Intelligence and Automation. Learn more at www.tripwire.com and TripwireInc on Twitter.
©2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPFPC1b