The new Payment Card Industry Data Security Standard version 3.0 is the global compliance standard for organizations processing credit card payments and it’s more security-centric than ever. Regardless of your PCI DSS compliance audit readiness, how will PCI 3.0 help protect against common cyber threats? How are cyber criminals able to routinely steal credit card and personal information, and what can you do now to protect your customer and transaction data? Brian Honan (CISM,CGEIT, CRISC) is an information systems and cybersecurity specialist and a member of the Advisory Group on Internet Security to Europol’s Cyber Crime Centre (EC3) on breach investigations. Honan joins Joel Barnes (CISSP), Senior Systems Engineer for Tripwire, to share recent and likely breach scenarios that PCI compliant organizations face now. You will learn: •The top three things PCI compliant organizations overlook most frequently •The most likely attacks scenarios targeting PCI compliant organizations and how to protect against them •How to prepare for the inevitable breach: building an effective breach response plan

2. 3
2
1

4. “Total Global Impact of CyberCrime US $3 Trillion, making it more profitable
than the global trade in marijuana, cocaine and heroin combined.”
-Europol Serious & Organised Threat Assessment 2013

5. IT security is no longer a trivial issue and is now becoming
part of a company’s boardroom discussion

21. PCI DSS 3.0

22. How Secure Is Your Cardholder Data?

23. How To Protect

25. Identify & Value Key Assets

27. Recommendation: Have meetings with Application Developers, Networking and Security
teams to understand and document current state and communicate expectations. Use
some type of discovery tool to aid your inventory work.

29. Recommendation: Vulnerability scanning, and security configuration assessments can validate
mitigations. Tripwire’s solutions produce audit-ready reporting, including a special PCI 3.0
Reporting Pak we have available to our Log Center customers.

30. Recommendation: Centrally manage (discover, monitor, report,
log) on your wireless infrastructure to get visibility early
for PCI (ASV)

31. Monitor & Respond

32. Recommendation: Work across development and IT operations to clearly define
access rights based on consistent roles and business purpose. Divide the work
into business units for clearer ownership as well as executive support.
Ponemenon Risk-Based
Security - Only 34% of the
retail sector measure the
reduction in access and
authentication violations to
assess risk management efforts
Verizon’s 2014 PCI
Compliance Report shows that
64.4% of accounts with access
to cardholder data failed to
restrict access to just one user
— limiting traceability and
increasing security risk.

33. Security Awareness Training

34.  95% of Breaches Were Due to “Human Error”
- IBM
 90% of Malware Requires Human Interaction
- Symantec
 100% of Successful Attacks Compromised The Human
- Mandiant
 64% of Orgs See Security Awareness As a Challenge
- E&Y 2010
 3 times as many breaches are caused by accidental insider
activity than malicious intent
- Open Security Foundation
The Human Element

35. How Secure Is Your Provider?

36. Business Context – connect your
security efforts to what matters
to your business
Security Automation – apply
intelligence and drive automation
for more effective operations
Enterprise Integration – across
our portfolio and also with other
security ecosystem partner solutions

37. http://www.tripwire.com/securescan/

38. 3
2
1

39. tripwire.com | @TripwireInc
@BrianHonan