The document discusses the Payment Card Industry Data Security Standard (PCI DSS) as a crucial framework for enhancing data security practices for businesses handling credit cards. It emphasizes that while PCI compliance is necessary, it does not equate to security and requires continuous diligence to avoid risks. Moreover, the document highlights the value of PCI in fostering an understanding of data security, unlocking budgets, and providing best practices for protecting customer data.

1. PCI: A Valuable Security Framework,
Not a Punishment
IT Security and
Configuration Assessment &
Change Auditing Automation
Compliance Solutions
VISIBILITY
INTELLIGENCE
AUTOMATION

2. Today’s Speakers
 John Kindervag
Senior Analyst
Forrester Research
 Cindy Valladares
PCI Solutions Manager
Tripwire
IT SECURITY and COMPLIANCE AUTOMATION 2 Don’t Take Chances. TAKE CONTROL.

4. PCI Unleashed:
Embracing PCI As A
Next-Generation
Security Architecture
John Kindervag
Senior Analyst
Forrester Research

5. Key Components of PCI
1 PCI is here to stay.
2 PCI incentivizes security.
Successful companies will derive value
3
from PCI.
5 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

6. PCI unleashed
6 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

7. ―PCI feels like something that is
being done to me and not
something being done with me.‖
— CISO global company
7 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

8. Executive summary
• PCI is imposed on all businesses using credit cards
in any way.
• It is the result of a long-term and systemic failure in
corporate governance.
– Willingness to accept poor internal data security
practices
– Profitability was more important than security.
• Corporations assumed that card brands took all the
risk.
• PCI DSS was created to transfer some risk to
merchants.
8 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

9. PCI misperceptions
• How can you be hacked if you are compliant?
• PCI is a never-ending process with complex
requirements.
– It requires day-to-day and hour-to-hour diligence to
remain compliant.
– The difficulty a company is having becoming PCI-
compliant is a direct reflection of its overall approach
to information security.
• The validation of compliance ≠ security.
9 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

10. The PCI troika
Security
Validation
Compliance
10 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

11. Compliance
• Compliance is the act of meeting the terms of the
PCI DSS.
• Compliance assumes self-enforcement.
• It is not enforced by the card brands.
• Noncompliance is penalized by fines.
• Noncompliance is not an option.
Compliance
11 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

12. Validation
• Merchants are assumed to be 100% PCI-compliant
at all times.
• Different levels of merchants may require third-party
validation (QSA assessment).
• Validation is like your dad checking up on you.
• Many companies that appear to be ―PCI-compliant‖
have misrepresented their compliance.
• You will hear the term ―compliance validation.‖
Validation
12 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

13. Security
• Security encompasses all elements of protecting
your network and data from misuse.
• Security should be a given in any organization.
• Buzzword time!
• Your greatest ―corporate social responsibility‖ is to
protect your customer’s data.
Security
13 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

14. Compliance does not equal security
• Compliance incentivizes security.
• Compliance is a stick and not a carrot.
• PCI has succeeded masterfully.
– PCI has gotten the attention of the enterprise:
•Fines and fees
•Brand damage
•Lawsuits
14 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

15. How can companies derive value from
their PCI-compliance initiatives?
• There are several important ways that PCI provides
value to in-scope companies:
– PCI creates awareness for data-centric security.
– PCI unlocks budgets for security.
– PCI defines a set of tactical best practices for network
and data security.
– PCI is easily molded into an understandable and
actionable security, risk, and compliance framework.
• Make PCI your security framework.
15 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

16. The open source of compliance
• Used by millions of companies, it:
– Has been vetted.
– Has established support communities actually.
– Has a highly trained workforce.
– Is easy to hire expertise around.
• Non-PCI companies are looking at PCI as a best
practices framework.
16 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

17. Compliance costs less than compromise
• Cost is a variable based on your beginning state of
security.
• PCI reduces costs.
– Prescriptive
– Helps avoid costly breaches
– Cost-effectively achieve the SOX, etc.
• PCI is not a zero-sum game.
17 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

18. The cost of a breach
Source: April 10, 2007, ―Calculating The Cost Of A Security Breach‖ Forrester report
18 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

19. TJX accrued expenses (10,000) — 2008
19 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

20. The pièce de résistance
• ―Since discovering the computer intrusion, we have
taken steps designed to strengthen the security of
our computer systems and protocols and have
instituted an ongoing program with respect to data
security.‖
20 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

21. Compliance by cheerleading
―High-level frameworks
have little value.‖
— CISO global company
21 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

22. A PCI framework has value
• Your company will need to become compliant with
PCI anyway.
• Use your efforts to define your future security
objectives.
• Leverage existing controls.
• Expand new PCI-related controls to other areas.
• PCI has never claimed to be perfect bulletproof
security.
• You can’t repeal PCI.
22 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

23. PCI unleashed framework
23 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

24. Key Takeaways
1 PCI is actionable.
2 PCI unlocks budgets.
PCI incentivizes good security and
3
makes an excellent baseline framework.
24 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

25. Good security
=
free compliance
25 Entire contents © 2009 Forrester Research, Inc. All rights reserved.

26. Increased Security through
Constant Compliance
COMPLIANCE
SECURITY
CONTROL
Tripwire VIA™
VISIBILITY  INTELLIGENCE  AUTOMATION Cindy Valladares | Solutions Marketing
26

27. Agenda
27 Don’t Take Chances. TAKE CONTROL.

28. Problem: Taking Too Long to Find Breaches/Risks
Breaches go undiscovered and uncontained
for weeks or months in 75 % of cases.
2009
Breach Average time between a breach and the detection of Discovery
it: 156 days [5.2 months]
Feb. 2010
“…breaches targeting stored data averaged 686 days
[of exposure]”
2010
“More than 75,000 computers … hacked” -- The attack
began late 2008 and discovered last month
Feb. 2010
28 Don’t Take Chances. TAKE CONTROL.

29. Result: The Time Delay Of Discovery Is Costly!
Breach Discovery
“Heartland Payment Systems
announced today that it will pay
“The average cost per breach in
Visa-branded credit and debit
2009 was $6.7 million…”
card issuers up 2010 $60 million…”
Ponemon Institute, Jan. 25, to
Bank Info Security, Jan. 8, 2010
29 Don’t Take Chances. TAKE CONTROL.

30. Need: Close The Time Gap
Breach Discovery Discovery Discovery
30 Don’t Take Chances. TAKE CONTROL.

31. Need: Close The Time Gap
Many Compromising Problems Are Difficult To Discover
Logging turned off FTP event to foreign IP
New user added
Login successful
FTP enabled
10 failed logins
DLL modified by new user
31 Don’t Take Chances. TAKE CONTROL.

32. Just Detecting Change Is Not Enough…
Policy-Based Intelligence Is Required
Logging turned off
New user added
Typical FIM cannot make these types FTP enabled
alerts. Change intelligence is required.
DLL modified by new user
32 Don’t Take Chances. TAKE CONTROL.

33. Just Detecting Log Events Is Not Enough…
Policy-Based Intelligence Is Required
FTP event to foreign IP
Login successful
10 failed logins Log management alone cannot alert
on these events—SIEM is required.
33 Don’t Take Chances. TAKE CONTROL.

34. Relating Change Events to Log Events…
Best Chance To Discover Compromising Problems Quickly
Logging turned off FTP event to foreign IP
Events New user added
of Login successful
Interest FTP enabled
10 failed logins
DLL modified by new user
34 Don’t Take Chances. TAKE CONTROL.

35. Solution:
35 Don’t Take Chances. TAKE CONTROL.

36. Questions
John Kindervag | Forrester Research Cindy Valladares | Tripwire
jkindervag@forrester.com cvalladares@tripwire.com
www.forrester.com www.tripwire.com
Twitter: @cindyv @TripwireInc
36 Don’t Take Chances. TAKE CONTROL.