PCI DSS 3.2 Compliance with Tripwire: A UL White Paper
Learn from the experts the best practices for employing Tripwire products to achieve and maintain PCI compliance.
Any entity that processes, transmits or stores account data1, or can impact the security of cardholder data environment (CDE)2, is required to be compliant to the Payment Card Industry Data Security Standard (PCI DSS). In PCI DSS all system components3, processes and people that are included in or connected to the CDE, or can impact the security of the CDE, are considered in-scope. PCI DSS comprises of 12 high level requirements. Each high level requirement includes a number of low-level requirements and each low-level requirement consists of one or more testing procedures. PCI DSS version 3.2 includes 270+ low-level requirements and 460+ testing procedures. The low-level requirements will be referred to as the “requirements” from this point onward.
During a PCI DSS assessment, testing procedures are followed by qualified security assessors (QSAs) to validate if in- scope system components, processes and people meet the intents of the requirements. This whitepaper examines the functionalities provided by Tripwire Enterprise, Tripwire Log Center and Tripwire IP360 that can be used to assist entities meeting a number of PCI DSS requirements.
|Tripwire Enterprise||Tripwire Log Center||Tripwire IP360|
This report has been organized as follows: A brief description of the PCI DSS assessment process has been provided in the next section. The following sections cover the overviews of Tripwire Enterprise, Tripwire Log Center and Tripwire IP360, and how these products can be used to meet PCI DSS requirements.
While Tripwire products can assist entities to comply with certain PCI DSS requirements, these products might be considered to have security impacts on the CDE and therefore would be required to comply with applicable PCI DSS requirements. The last section includes technical information about these products which would be useful to understand how they meet some key PCI DSS requirements, e.g. default user names and password.
This whitepaper was prepared by UL's Transaction Security Division in conjunction with Tripwire. It is intended for security personnel who want to learn how to use Tripwire to meet specific PCI DSS 3.2 requirements. It is also useful for Qualified Security Assessors (QSAs) to highlight the key areas that Tripwire can be used to verify PCI controls.
Download the complete PDF to gain critical insights on how Tripwire products can be used to meet PCI DSS requirements.
- Cardholder data (CHD) consisting of primary account number (PAN), cardholder name, expiration date and service code
- Sensitive authentication data (SAD) which includes consisting of full magnetic stripe data or equivalent on a chip, CAV2/CVC2/CVV2/CID or PINs/PIN blocks
2 Cardholder data environment or CDE refers to the system components (e.g. servers, applications, firewalls etc.), people and processes that store, process or transmit cardholder data or sensitive authentication data. A system component that has not been segmented from the system components within the CDE is considered part of the CDE.
3 System components refer to servers, applications and network devices that are included in or connected to the CDE, or can impact the security of the CDE.