|
What's all the fuss about PCI?
The PCI (Payment Card Industry) Security Standards Council was formed in September 2006 by brands such as American Express, JCB, Mastercard and Visa to address the ever-increasing levels of fraud that targets the personal and financial data that customers entrust to banks, retailers, credit card companies and suchlike.
The PCI DSS (Data Security Standard) was intended to establish common processes and precautions for handling credit card data. As such, the standard applies to any organisation that "stores, processes or transmits" such data, be they the original retailer, the Internet Service Provider that either hosts the data or provides the means of transporting the data, or the bank that handles funding the transactions. Thus, there are usually several organisations involved in one credit card transaction - each of which are therefore required to become compliant with the PCI DSS standard as a result.
Below are the core requirements (reproduced from the PCI Security Standards Council's version 1.1 requirements document):
| Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and mantain secure systems and applications |
| Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy 12. Maintain a policy that addresses information security |
The requirements are also that each organisation has to prove that they are PCI DSS compliant and there are different requirements for this depending on the size of your organisation, as per the table below:
First Base Technologies' PCI Compliance Solution
After extensive research and trialing various offerings, we selected QualysGuard PCI™ as our recommended solution. We have since formed a partnership with Qualys, believing that QualysGuard PCI™ can provide our clients with the easiest, most cost-effective and highly automated way to achieve PCI DSS compliance.
So what is QualysGuard PCI™ and why do we like it?
QualysGuard PCI™ is an on-demand web application: the most accurate, user-friendly tool we found for PCI compliance testing, reporting and submission. The table shown earlier (provided by Qualys shows the type of validation actions you require depending on the size of your organisation and how QualysGuard PCI™ can address each requirement. Here's why we think QualysGuard PCI™ is the best solution:
- Achieve PCI compliance status in 3 easy steps and secure your network
- QualysGuard PCI™ is delivered as an on-demand web application so you'll have no software to deploy or maintain
- Authorised users can access QualysGuard PCI™ from anywhere that has web access
- Conveniently complete the PCI Security Council's "Self-Assessment Questionnaire" online
- Unlimited, highly accurate, on demand or scheduled network security scans
- Use of the Six Sigma quality program drives the most accurate security scans in the industry
- Submit false-positive results to Qualys Technical Support for quick resolution via the user interface
- Technical and Executive Reports generated automatically from any web browser
- Technical Report provides detailed step-by-step remediation instructions for eliminating identified security threats
- Executive Report and self-assessment questionnaire can be automatically submitted to your bank and relevant parties
- Draft versions can be saved at any time for later completion
- Multi-user support with user-rights assignments to enable effective collaboration on PCI compliance
- Easily add banks and assigned merchant identification numbers for various credit card types
- Maximum data protection provided by SAS/70 audited security architecture
- Tamperproof architecture to ensure scan results can not be manipulated
- Fantastic online help is available throughout the application
- E-mail and telephone support is available 24/7
- Click the logo below to read more...
So where does First Base Technologies fit in?
We have now undertaken PCI consultancy work for many clients, either because they are uncertain about the requirements, aren't sure which PCI scanning vendor to use, or simply can't decode the varied reports that are produced by vendors that don't use the easy-to-understand Qualysguard PCI® product.
In many cases, we have been asked to verify the results produced by PCI Scanning Vendors where those results indicate a client as being non PCI compliant. In most cases we have found that in fact the results that led to a verdict of non-compliance were false-positives. Upon our reporting as such to the client, they then either decide to switch to using QualysGuard PCI™ - which has the lowest rate of false-positives we have seen so far - or they go back to their scanning vendor and argue the case for false-positives, which usually results in the scanning vendor properly verifying the results, finding that they agree with us, and then giving PCI compliance status to the client! So, here's some examples of how we can help you achieve and sustain PCI DSS compliance:
- We can provide advice on how to achieve PCI compliance
- Our partnership with Qualys will enable you to access QualysGuard PCI™ at a discounted rate
- We can interpret reports and assist with remediation instructions, even if you don't use QualysGuard PCI™
- We can assist with any issues surrounding possible false-positives in your reports
| Want more information? |
|
