3

2

1

http://itrevolution.com/pci-

scoping-toolkit/

Recommendation: Have meetings with Application Developers, Networking and Security

teams to understand and document current state and communicate expectations. Use

some type of discovery tool to aid your inventory work.

Recommendation: Vulnerability scanning, and security configuration assessments

can validate mitigations. Tripwire’s solutions produce audit-ready reporting, including

a special PCI 3.0 Reporting Pak we have available to our Log Center customers.

Recommendation: Work across development and IT operations to clearly define

access rights based on consistent roles and business purpose. Divide the work

into business units for clearer ownership as well as executive support.

Ponemenon Risk-Based

Security - Only 34% of the retail

sector measure the reduction in

access and authentication

violations to assess risk

management efforts

Verizon’s 2014 PCI

Compliance Report shows that

64.4% of accounts with access

to cardholder data failed to

restrict access to just one user

— limiting traceability and

increasing security risk.

Recommendation: Centrally manage (discover, monitor, report, log) on your

wireless infrastructure to get visibility early

for PCI (ASV)

Recommendation: Accept that this is really difficult to do and begin to hone

and develop ways to create and manage these inventories

Recommendation: Accept that this is really difficult to do and begin to hone

and develop ways to create and manage these inventories and security steps

Recommendation: The PCI DSS 3.0 requirements advise you implement these now as

“Best Practices” knowing in July they require audit compliance. Whenever penetration

test findings need remediation – you can use vulnerability scanning and configuration

assessments to validate the corrections are in place.

There are more than a billion active credit

and debit cards in the U.S., and

nearly 48% of those are breached

annually at the point of sale!

There are more than a billion active credit

and debit cards in the U.S., and

nearly 48% of those are breached

annually at the point of sale!

Recommendation: Focus on security awareness training at the endpoint to train non-

technical resources of what to look for and be clear as to what your expectations are

Only 41 percent of the

retail sector uses

penetration testing

to identify security risks

Recommendation: Immediately begin to document and track all threats and

vulnerabilities to your environment for the last 12 months

for PCI (ASV)

Recommendation: Have conversations with your MSSP, vendors and service providers

to ask them to document scoping and enter into a formal, written agreement about it

tripwire.com | @TripwireInc