FFIEC News

Achieving PCI-DSS Compliance and Proving it: a Pivot Point Security Webcast

(July 24, 2008)-- John Verry (CISA) of Pivot Point Security discussed "Easing the Burden of PCI-DSS Compliance" by leveraging Security Information Event Management (SIEM).

The 30-minute presentation, conducted in cooperation with Novell, focused on the basics of PCI-DSS compliance, the ramifications of non-compliance, major goals, and how to use automation to lower the overall cost and impact to large, complex enterprises. He emphasized the importance of provability. "Not only do you have to achieve PCI compliance, you have to prove you're compliant in the event of a security breach," Verry stated. He continued by explaining that if you fail to prove compliance with the standard in the event of a breach, the penalties can be severe, "In addition to the obvious damage to reputation, bad publicity, lawsuits and fines, your ability to process credit card transactions can be revoked."

The presentation noted the major challenges to comply with the PCI-DSS, such as: the large physical scope, the high prevalence of unstructured data--that is, data outside of a formal database and found in files such as spreadsheets and word processing documents--and the burdensome costs of the monitoring and provability of compliance.

Verry went on to explain that a Security Information and Event Management (SIEM) solution, such as Novell Sentinel, can considerably reduce the encumbrance to the IT staff to monitor logs and prove compliance with PCI. "In the simplest terms, SIEM solutions automate the compliance process relating to logs. They normalize and store event data, correlate it, help produce reports, issue alerts, and assist in forensic analysis," Verry said.

He also elaborated on Novell's unique ability to integrate its Identity Management (IDM) solution with Sentinel to further simplify compliance and provide the ability to detect and react to anomalous data access in real-time.

Verry concluded the program by noting that leveraging technology to automate PCI-DSS compliance will also directly address other regulations including Sarbanes Oxley and HIPAA. He then fielded numerous questions from the attendees at conclusion of the webcast.

To view a recorded version of the webcast, please visit:
http://www.novell.com/huddle/event/index.php?event_id=11896a3bf730516dd6

Share or bookmarklet this web page at: