Starting Jan. 1, any business that stores, processes or transmits payment card data must comply with the new Payment Card Industry Data Security Standard version 3.0 (PCI DSS 3.0). The PCI Security Standards Council initially created the requirements, which are updated every three years, to help businesses protect their customers' payment card information.
Trustwave, with its industry-leading managed security and compliance services, is helping businesses of all sizes enhance their security first, so that they inherently become compliant and maintain compliance with PCI 3.0.
"We are flipping the traditional compliance process on its head by offering tools merchants need to secure their environment first," said Michael Aminzade, VP of global compliance at Trustwave. "Compliance does not necessarily equal security. Many merchants assume that because they are PCI compliant, security is automatic. This can be a very costly mistake."
With this path in mind, Trustwave helps organizations:
Get secure first: Trustwave technologies, services and experts help businesses rethink the compliance process so that security plays a bigger role. Instead of focusing on simply "checking the box" to meet the guidelines, businesses should focus on how to secure their environment first, so that they inherently become compliant. Through its Managed Security Services program, available through the cloud-based Trustwave TrustKeeper portal, Trustwave encourages businesses to follow that model.
For example, Trustwave helps businesses install, update and monitor web application firewalls, anti-malware software, unified threat management, SIEM, intrusion detection systems and network access control. Trustwave experts also help them perform automated vulnerability scanning, card data scanning, file integrity monitoring and penetration testing. Businesses must have and do all of this to maintain compliance with PCI 3.0.
Finding enough staff and skillsets in-house to effectively manage security technologies is oftentimes challenging for businesses. Trustwave Managed Security Services helps fill that gap, allowing the in-house IT team to focus on other revenue-generating priorities, while Trustwave experts focus on security and compliance.
Meet the new requirements: Under PCI 3.0, if merchants use segmentation to reduce the scope of their cardholder data, they must penetration test the segmentation boundaries. Pen testing helps businesses find and remediate security weaknesses in their infrastructure before criminals can exploit them.
Trustwave Managed Security Testing, which consists of automated vulnerability scanning and pen testing across all assets, helps businesses meet the PCI 3.0 requirements and track their findings in the TrustKeeper portal. The program is flexible: If businesses make changes within their infrastructure (i.e. introduce a new internet connection or deploy a new point-of-sale system) that would widen their scope for PCI 3.0 compliance, they can retest the added systems to make sure the segmentation boundary still meets the requirements.
Get compliant as an SMB: Trustwave has released a new version of its PCI Manager to help small- and medium-sized businesses (SMBs) bolster their security first, so they inherently become compliant. PCI Manager 5.0 is designed to help SMBs go beyond compliance by integrating security tools into the process as merchants certify compliance in the Trustwave TrustKeeper portal.
Before filling out their self-assessment questionnaires (SAQs), merchants can deploy a suite of tools that help secure their environment and also fulfill some of their compliance obligations. The tools are comprised of anti-malware protection, file integrity monitoring, rogue device detection and others.
Based on information provided by the merchants' payment processors and acquiring banks, as well as these deployed security tools, PCI Manager 5.0 automatically pre-fills some of the questions in the SAQs so the process is easier for the retailer.
Get compliant as an enterprise: Trustwave has updated its Trustwave Compliance Manager to help enterprises fulfill the requirements of PCI 3.0. A Qualified Security Assessor (QSA) works with enterprises as they move through the compliance process by conducting a risk assessment, creating a compliance report, identifying non-compliance action items and remediating those items so the enterprise becomes adherent to the standard.
Trustwave has integrated the new PCI requirements into Trustwave Compliance Manager so enterprises receive a 3.0-specific assessment.
The service also includes:
- PCI Readiness: Trustwave helps businesses prepare for third-party validation and ongoing PCI compliance. A QSA meets with businesses to confirm they have everything they need and are taking steps to meet the new requirements.
- PCI Gap Assessment: Trustwave assists in identifying incomplete requirements and prioritizing areas that need remediation.
- PCI SMB/Remediation: Trustwave PCI experts provide consulting services to help businesses meet the administrative, technical and/or security requirements of the standard.
- PCI Compliance Validation Service: Trustwave experts validate whether a business' existing PCI security operations and controls have met the 3.0 requirements.
In addition to the PCI DSS, Trustwave Compliance Manager helps enterprises comply with other mandates, including HIPAA and the Sarbanes-Oxley Act.
Get compliant and maintain compliance: To assist businesses in complying with PCI 3.0 and maintaining compliance, Trustwave also offers the following:
- Incident response readiness and two-factor authentication : PCI 3.0 requires greater transparency, responsibilities and accountability for third-party providers. External providers must define how they are protecting cardholder data. The Trustwave Incident Response & Readiness program helps, among other things, businesses identify poor security practices by their third-party providers. Under the program, organizations conduct breach response drills to help discover weaknesses, including poor practices by external vendors. In the case of a third-party provider mistakenly using weak or default passwords to enable the breach, businesses can deploy Trustwave Two-Factor Authentication to add an extra layer of security if a password is compromised.
- Security awareness education training: PCI 3.0 includes a new requirement mandating that point-of-sale devices periodically must be inspected to ensure they have not been physically tampered with. Trustwave Security Awareness Education training teaches employees the signs to look for - both physical and online - that may indicate a breach.
Abby Ross is media relations manager at Trustwave.