The last several years have seen an unprecedented assault on personal and financial data that customers have knowingly or unwittingly entrusted to retailers, banks, service providers and credit card companies. Several large, well-known institutions and brands have been boldly exposed in the media and pummeled in the financial markets after major data security breaches within their organization were revealed.
In response, the payment card industry countered the criminal onslaught with a homegrown security initiative that is at once broader in scope and more granular in its requirements than any measures additional government regulation might have imposed. The Payment Card Industry Data Security Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.
In September of 2006, a group of five leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announcement, the council released version 1.1 of the PCI standard.
Compliance Requirements
The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data, and affect all payment channels, including retial (brick-and-mortar), mail/telephone order and e-commerce. The core requirements are organized in six categories as outlined in the figure below.
Validation Requirements
While the newly-established PCI Security Standards Council will manage the underlying data security standard, compliance requirements are set independently by individual payment card brands. While requirements vary between card networks, MasterCard's Site Data Protection Plan and Visa's Cardholder Information Security Program are representative. They stipulate separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in the figure below.
Validation Enforcement
While non-compliance penalties also vary among major credit card networks, they can be substantial. Participating companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance.
Since compliance validation requirements and enforcement measures are subject to change, merchants and service providers should closely monitor the requirements of all card networks in which they participate.
Solution: QualysGuard PCI
At first exposure, PCI compliance and validation requirements can appear daunting, particularly the external scan requirement. Merchants and service providers can simplify the selection process by establishing a few key selection criteria:
|
Use an Approved PCI Scanning Vendor — For network scans to be valid, they must be performed by an approved PCI scanning vendor. |
|
|
Non-Intrusive Scans — Some scanning tools are more invasive than others, and customers need to be sure that these are low-touch processes that won't cause disruption on their networks. |
|
|
Accuracy — It's extremely important that a testing service be able to accurately identify real vulnerabilities and not generate a large inventory of false positives, each of which must be manually evaluated for remediation. False positives (and false negatives) can significantly and unnecessarily inflate the workloads and labor costs of maintaining PCI compliance. |
|
|
Efficient Vulnerability Remediation Process — The service provider must offer tested and documented remediation processes for all identified vulnerabilities, and provide expert technical support assistance. |
|
|
Automated Report Preparation and On-line Filing — Automatic report preparation and electronic filing greatly simplify compliance administration and reduces the attendant workload. |
|
|
Reusability of the Scan Data — The scan data being collected is valuable and is applicable beyond PCI. Being able to re-purpose the scan data in other security management process and with other SIM tools is another thing to look for. |
QualysGuard PCI — On Demand PCI
As an approved PCI scanning vendor, Qualys is fully certified to help merchants and service providers assess and achieve continuous compliance with the PCI DSS. Delivered as an on demand Web application with no hardware or software to be installed and maintained, QualysGuard PCI is the most accurate, easiest to use tool for turnkey PCI compliance testing, reporting and submission. QualysGuard PCI draws upon the same highly accurate scanning infrastructure and technology as Qualys' flagship solution, QualysGuard — used by thousands of organizations around the world to protect their networks from security vulnerabilities that make attacks against networks possible. It allows merchants and service providers to complete all validation requirements. Using QualysGuard PCI users can easily complete and submit the PCI self-assessment questionnaire online, and perform pre-defined PCI scans on all external systems to identify and resolve network and system vulnerabilities as required by the PCI standard.
Key features of QualysGuard PCI:
|
|
An online self-assessment questionnaire that lets the user revisit the questionnaire as often as necessary, and enables collaboration with other members within the organization. |
|
|
Unlimited PCI scanning for all systems within the user account. An organization can scan all external systems on a quarterly basis or on as needed basis in order to reach compliance. |
|
|
PCI reporting that delivers executive level and technical reports as defined by the PCI standard. |
|
|
Online filing that automatically notifies the acquiring bank when a merchant achieves PCI compliance. |
|
|
A friendly and fast process to address and eliminate false positives detected during scans. |
The most important feature of QualysGuard PCI is the Six Sigma level of accuracy made possible by the industry's most complete vulnerability knowledgebase, an encyclopedic inventory of thousands of known vulnerabilities that covers all major operating systems, services and applications. The result is a current error rate of less than 3.4 defects per million production scans.
