The Issues: What's all the fuss about PCI?

The PCI (Payment Card Industry) Security Standards Council was formed in September 2006 by brands such as American Express, JCB, Mastercard and Visa to address the ever-increasing levels of fraud that targets the personal and financial data that customers entrust to banks, retailers, credit card companies and suchlike.

The PCI DSS (Data Security Standard) was intended to establish common processes and precautions for handling credit card data. As such, the standard applies to any organisation that "stores, processes or transmits" such data, be they the original retailer, the Internet Service Provider that either hosts the data or provides the means of transporting the data, or the bank that handles funding the transactions. Thus, there are usually several organisations involved in one credit card transaction - each of which are therefore required to become compliant with the PCI DSS standard as a result.

Below are the core requirements (reproduced from the PCI Security Standards Council's version 1.1 requirements document):

The requirements are also that each organisation has to prove that they are PCI DSS compliant and there are different requirements for this depending on the size of your organisation, as per the table below:

The Solution: First Base Technologies' PCI Consultancy Services

After extensive research and trialing various offerings, we selected QualysGuard PCI™ as our PCI quarterly testing solution. We have since formed a partnership with Qualys, believing that QualysGuard PCI™ can provide our clients with the easiest, most cost-effective and highly automated way to achieve the quarterly scanning element of the PCI DSS requirement. Our expert penetration testing team can offer:

•   Advice on how to achieve PCI compliance
•   Our partnership with Qualys will enable you to access QualysGuard PCI™
•   Interpretation of scanning reports and assistance with remediation instructions, even if you don't use QualysGuard PCI™
•   Assistance with any issues surrounding possible false-positives in your scanning reports

We have now undertaken PCI consultancy work for many clients, either because they are uncertain about the requirements, aren't sure which PCI scanning vendor to use, or simply can't decode the varied reports that are produced by PCI Scanning vendors.

We have often been asked to verify the results produced by PCI Scanning Vendors which indicate a client is non-PCI compliant. In many cases we have found that in fact the results that led to a verdict of non-compliance were false-positives. The client will then either decide to switch to QualysGuard PCI™ - which has the lowest rate of false-positives we have seen so far - or they go back to their scanning vendor and argue the case for false-positives, which often results in the scanning vendor properly verifying the results, finding that they agree with us, and changing the PCI scan results to compliant! So, those are just some examples of how we can help you achieve and sustain PCI DSS compliance, in particular as concerns the quarterly scanning requirement.

So what is QualysGuard PCI™ and why do we like it?

QualysGuard PCI™ is an on-demand web application: the most accurate, user-friendly tool we found for PCI compliance testing, reporting and submission. The table shown earlier (provided by Qualys) shows the type of validation actions you require depending on the size of your organisation and how QualysGuard PCI™ can address each requirement. Here's why we think QualysGuard PCI™ is the best solution:

•   Achieve PCI compliance status in 3 easy steps and secure your network
•   QualysGuard PCI™ is delivered as an on-demand web application so you'll have no software to deploy or maintain
•   Authorised users can access QualysGuard PCI™ from anywhere that has web access
•   Conveniently complete the PCI Security Council's "Self-Assessment Questionnaire" online
•   Unlimited, highly accurate, on demand or scheduled network security scans
•   Use of the Six Sigma quality program drives the most accurate security scans in the industry
•   Submit false-positive results to Qualys Technical Support for quick resolution via the user interface
•   Technical and Executive Reports generated automatically from any web browser
•   Technical Report provides detailed step-by-step remediation instructions for eliminating identified security threats
•   Executive Report and self-assessment questionnaire can be automatically submitted to your bank and relevant parties
•   Draft versions can be saved at any time for later completion
•   Multi-user support with user-rights assignments to enable effective collaboration on PCI compliance
•   Easily add banks and assigned merchant identification numbers for various credit card types
•   Maximum data protection provided by SAS/70 audited security architecture
•   Tamperproof architecture to ensure scan results can not be manipulated
•   Fantastic online help is available throughout the application
•   E-mail and telephone support is available 24/7
•   Click the logo below to read more...