Starting Jan. 1, any business that stores, processes or transmits payment card data must comply with the new Payment Card Industry Data Security Standard version 3.0 (PCI DSS 3.0). The PCI Security Standards Council initially created the requirements, which are updated every three years, to help businesses protect their customers' payment card information.
Trustwave, with its industry-leading managed security and compliance services, is helping businesses of all sizes enhance their security first, so that they inherently become compliant and maintain compliance with PCI 3.0.
"We are flipping the traditional compliance process on its head by offering tools merchants need to secure their environment first," said Michael Aminzade, VP of global compliance at Trustwave. "Compliance does not necessarily equal security. Many merchants assume that because they are PCI compliant, security is automatic. This can be a very costly mistake."
With this path in mind, Trustwave helps organizations:
Get secure first: Trustwave technologies, services and experts help businesses rethink the compliance process so that security plays a bigger role. Instead of focusing on simply "checking the box" to meet the guidelines, businesses should focus on how to secure their environment first, so that they inherently become compliant. Through its Managed Security Services program, available through the cloud-based Trustwave TrustKeeper portal, Trustwave encourages businesses to follow that model.
For example, Trustwave helps businesses install, update and monitor web application firewalls, anti-malware software, unified threat management, SIEM, intrusion detection systems and network access control. Trustwave experts also help them perform automated vulnerability scanning, card data scanning, file integrity monitoring and penetration testing. Businesses must have and do all of this to maintain compliance with PCI 3.0.
Finding enough staff and skillsets in-house to effectively manage security technologies is oftentimes challenging for businesses. Trustwave Managed Security Services helps fill that gap, allowing the in-house IT team to focus on other revenue-generating priorities, while Trustwave experts focus on security and compliance.
Meet the new requirements: Under PCI 3.0, if merchants use segmentation to reduce the scope of their cardholder data, they must penetration test the segmentation boundaries. Pen testing helps businesses find and remediate security weaknesses in their infrastructure before criminals can exploit them.
Trustwave Managed Security Testing, which consists of automated vulnerability scanning and pen testing across all assets, helps businesses meet the PCI 3.0 requirements and track their findings in the TrustKeeper portal. The program is flexible: If businesses make changes within their infrastructure (i.e. introduce a new internet connection or deploy a new point-of-sale system) that would widen their scope for PCI 3.0 compliance, they can retest the added systems to make sure the segmentation boundary still meets the requirements.
Get compliant as an SMB: Trustwave has released a new version of its PCI Manager to help small- and medium-sized businesses (SMBs) bolster their security first, so they inherently become compliant. PCI Manager 5.0 is designed to help SMBs go beyond compliance by integrating security tools into the process as merchants certify compliance in the Trustwave TrustKeeper portal.
Before filling out their self-assessment questionnaires (SAQs), merchants can deploy a suite of tools that help secure their environment and also fulfill some of their compliance obligations. The tools are comprised of anti-malware protection, file integrity monitoring, rogue device detection and others.
Based on information provided by the merchants' payment processors and acquiring banks, as well as these deployed security tools, PCI Manager 5.0 automatically pre-fills some of the questions in the SAQs so the process is easier for the retailer.
Get compliant as an enterprise: Trustwave has updated its Trustwave Compliance Manager to help enterprises fulfill the requirements of PCI 3.0. A Qualified Security Assessor (QSA) works with enterprises as they move through the compliance process by conducting a risk assessment, creating a compliance report, identifying non-compliance action items and remediating those items so the enterprise becomes adherent to the standard.
Trustwave has integrated the new PCI requirements into Trustwave Compliance Manager so enterprises receive a 3.0-specific assessment.
The service also includes:
In addition to the PCI DSS, Trustwave Compliance Manager helps enterprises comply with other mandates, including HIPAA and the Sarbanes-Oxley Act.
Get compliant and maintain compliance: To assist businesses in complying with PCI 3.0 and maintaining compliance, Trustwave also offers the following:
Abby Ross is media relations manager at Trustwave.