RealTime IT News

Updating PCI Compliance Tools

Security assessment firm Qualys today released QualysGuard PCI 2.0, the latest version of its Payment Card Interface (PCI) compliance testing tool for merchants to assess their electronic billing infrastructure and insure safe transactions.

PCI compliance testing, which measures how secure credit card transactions are within a firm, has taken on an increasing urgency in light of the whole TJX debacle, where there were numerous points of failure along the way that would have been caught had the company been more careful.

Even with the TJX example, as of four months ago, only about 30 percent of merchants were PCI-compliant, according to Amer Deeba, vice president of product marketing for Qualys.

"Everyone is trying to figure out what to do and what the scope is and how to do it," he told InternetNews.com. "Some of these vendors are dealing with legacy systems. I think going into 2008 you will see many more merchants get compliant because they have to."

QualysGuard PCI 2.0 features a new interface and a more modular approach to testing, so companies can break down their compliance testing by department. Because these purchases tend to be woven throughout a company like fabric, it's not possible to very easily isolate just the payment systems for testing.

"The PCI credit card activities touch a number of parts of the company. We're kind of like a larger company in that we have these intermingled systems and it's hard to carve off the PCI business from our other systems," said Dennis Kavanaugh, director of information security and risk management at Palm. While a vendor of hardware and software, Palm is also a merchant and does its fair share of credit card transactions, and needs to be PCI compliant as much as Best Buy.

So QualysGuard PCI 2.0 allows for testing divisions and departments individually through what the company calls segmented scanning. When compliance is reached on all systems, a single report is generated and sent to card issuers and acquiring banks.

Version 2.0 also sports a real-time dashboard to monitor tests as they take place and identify problems as they are found. Merchants can now also run reports with specific, advanced search criteria, including host name, IP address and vulnerability severity. It also has an interactive questionnaire for testing with tips for improving compliance, and it now supports submitting compliance reports and questionnaire results to multiple banks at once.

Kavanaugh said Palm was not PCI compliant when he joined the company last year, but it is now thanks to the use of QualysGuard for testing. "It makes the process of demonstrating compliance easier. When I joined Palm, we were using another product and it was more difficult for us to interact with this service provider, get the data, and get it to the people who needed it," he said.

QualysGuard PCI 2.0 is available immediately at starting price of $495 for an annual subscription.