Tripwire Announces Comprehensive Support for PCI DSS 3.1

Industry-leading solutions provide continuous analysis of compliance, complete visibility into weak encryption for retail and hospitality sector

PORTLAND, Ore. July 8, 2015 Tripwire, Inc., a leading provider of advanced threat, security and compliance solutions, today announced comprehensive platform and policy support for Payment Card Industry Data Security Standard (PCI DSS) version 3.1 requirements in both Tripwire® Enterprise and Tripwire IP360. Tripwire is a certified PCI-Approved Scanning Vendor (ASV).

Tripwire solutions close the retail and hospitality threat gap by providing the broadest PCI platform and policy support in the industry and are used to protect the largest, most sensitive retail networks in the world. By combining the power of continuous attack surface analysis, continuous configuration assessment, threat detection and file integrity monitoring (FIM), Tripwire solutions deliver continuous compliance and automated audit evidence collection, including identification of all levels of encryption.

Tripwire PCI DSS support includes:

  • Complete visibility into all levels of encryption, including identification of all instances of SSL and early versions of TLS.
  • Comprehensive end-to-end monitoring and protection of the entire PCI infrastructure from point-of-sale devices (POS) to servers that store, transmit or process cardholder data.
  • Detailed inventories of hardware and software, including version numbers, patch status and identification of non-PCI compliant configuration settings.
  • Dynamic, real-time change intelligence that prioritizes changes and events that contribute to PCI compliance “drift” and quickly identifies suspicious activity, including unauthorized system access.

“The fact that the PCI Council decided an out-of-band update to the standard was necessary speaks to the urgency and intensity of threats targeting retail organizations,” said Ken Westin, senior security analyst f or Tripwire. “Forensic investigations of retail breaches indicate that vulnerabilities inherent in these protocols, which predate the cybersecurity threats currently targeting retail organizations, are a key component of many recent breaches.”

The recent plague of high-profile retail data breaches has resulted in increased scrutiny of the security measures used to protect cardholder data. The updated standard addresses inherent vulnerabilities identified by the National Institute of Standards and Technology (NIST) within the Secure Sockets Layer (SSL) encryption protocol and early versions of Transport Layer Security (TLS) that can put payment data at risk.

“Although PCI DSS 3.1 has a ‘sundown’ period that’s one year away, the council has made this revision effective immediately, and organizations that are still using these protocols are required to have risk mitigation and migration plans in place,” said Westin. “This means that retailers need complete visibility into where these protocols are in their environments as well as what versions and encryption strengths are being used, and they should begin the migration process as soon as possible.”

Tripwire Enterprise, an industry-leading security and compliance management solution, dramatically simplifies visibility, automation, assessment and remediation of thousands of configuration variables. With a library of over 600 policy platform combinations, it includes the most comprehensive platform and policy support in the industry. Tripwire IP360, a true enterprise-class vulnerability management solution, discovers a broad range of operating systems, more than 15,000 applications and over 100,000 conditions, including vulnerabilities and configurations. Furthermore, the integration of Tripwire Enterprise and Tripwire IP360 allows organizations to view and evaluate their entire security posture and quickly focus their remediation efforts on the highest risks to the most critical assets.

“The fact that the PCI Council is specifically calling out technologies as insecure is significant, because in the past, the council has relied on the QSA’s personal awareness and knowledge of which encryption methods are sufficient", said Adrian Sanabria, senior security analyst for 451 Research. “In my former life as a QSA, I often found gaps between the encryption settings or protocols people thought were in use and those that were actually in use. Any product that provides visibility and clarity into whether vulnerable protocols are in use provides an obvious benefit to the assessed organization and the assessor.”

For more information about Tripwire PCI DSS support, please visit: https://www.tripwire.com/regulatory-compliance/pci-dss-compliance/.

About Tripwire

Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at tripwire.com, get security news, trends and insights at https://www.tripwire.com/blog/ or follow us on Twitter @TripwireInc.



Press Contacts

Ray Lapena
PR Manager
714.624.8862
pr@tripwire.com