It’s big. It’s bigger than you think. On January 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 becomes the global PCI audit standard. In this webinar, PCI QSA Jeff Hall shares the biggest gotchas that he’s encountered while working with clients. Key insights will include: • How will auditors’ requirements increase notably? • What are the foreseeable problem hot spots? • Why won't steps for passing PCI 2.0 cut it for 3.0? You’ll also get a helpful checklist for 3.0 late starters!

3. 1
2
3

7. http://itrevolution.com/pci-scoping-
toolkit/
Recommendation: Have meetings with Application Developers, Networking and Security
teams to understand and document current state and communicate expectations. Use
some type of discovery tool to aid your inventory work.

8. Recommendation: Vulnerability scanning, and security configuration assessments
can validate mitigations. Tripwire’s solutions produce audit-ready reporting, including
a special PCI 3.0 Reporting Pak we have available to our Log Center customers.

9. Ponemenon Risk-Based
Security - Only 34% of the retail
sector measure the reduction in
access and authentication
violations to assess risk
management efforts
Verizon’s 2014 PCI
Compliance Report shows that
64.4% of accounts with access
to cardholder data failed to
restrict access to just one user
— limiting traceability and
increasing security risk.
Recommendation: Work across development and IT operations to clearly define
access rights based on consistent roles and business purpose. Divide the work
into business units for clearer ownership as well as executive support.

10. for PCI (ASV)
Recommendation: Centrally manage (discover, monitor, report, log) on your
wireless infrastructure to get visibility early

11. Recommendation: Accept that this is really difficult to do and begin to hone
and develop ways to create and manage these inventories

12. Recommendation: Accept that this is really difficult to do and begin to hone
and develop ways to create and manage these inventories and security steps

13. Recommendation: The PCI DSS 3.0 requirements advise you implement these now as
“Best Practices” knowing in July they require audit compliance. Whenever penetration
test findings need remediation – you can use vulnerability scanning and configuration
assessments to validate the corrections are in place.

14. There are more
than a billion
active credit
and debit cards
in the U.S., and
nearly 48% of
those are
breached
annually at the
point of sale!

15. There are more
than a billion
active credit
and debit cards
in the U.S., and
nearly 48% of
those are
breached
annually at the
point of sale!
Recommendation: Focus on security awareness training at the endpoint to train non-technical
resources of what to look for and be clear as to what your expectations are

16. Only 41 percent of the
retail sector uses
penetration testing
to identify security risks
for PCI (ASV)
Recommendation: Immediately begin to document and track all threats and
vulnerabilities to your environment for the last 12 months

17. Recommendation: Have conversations with your MSSP, vendors and service providers
to ask them to document scoping and enter into a formal, written agreement about it

24. tripwire.com | @TripwireInc