RealTime IT News

Policing Credit-Card Data -- On Demand

Software on demand isn't just about CRM software. Vulnerability management providers are getting in on the action, too.

Take Qualys, which makes on demand vulnerability management and policy compliance solutions.

The Redwood City, Calif-based company has just launched its spring release of QualysGuard 4.0, and with it, a policy-compliance software development kit (SDK) and application library and real-time executive dashboard to help managers keep their data straight.

In addition, the company announced that it has successfully completed the MasterCard Site Data Protection (SDP) compliance testing process and extended its QualysGuard on demand vulnerability management platform to include automated, self-service SDP compliance testing and reports.

What that means, company officials explained, is that Qualys is certified to help online merchants and their consultants evaluate the security of Web sites that store MasterCard account data, and achieve compliance with the Payment Card Industry (PCI) Data Security Standard. The deadline for online merchants to show major credit-card providers such as Visa and MasterCard that they have secured customer data is June 30.

As of that date, for example, MasterCard will require online merchants processing over $125,000 in monthly MasterCard gross volume to perform an annual self-assessment and quarterly network scan.

For many online merchants, that means either hiring more IT staff to perform the work, buying new software to boot, or perhaps going the software- by-subscription route.

As it positions for providing the vulnerability assessments on demand, Qualys CEO and Chairman, Philippe Courtot, said the company has achieved compliance status by proving its ability to detect, identify and report vulnerabilities common to flawed Web site architectures and configurations.

"These vulnerabilities, if not patched in actual merchant Web sites, could potentially lead to an unauthorized intrusion," he said. "By proactively identifying and providing the opportunity to remedy such vulnerabilities, SDP-compliant products offer a means for reducing risk of intrusion and data compromise."

For example, the QualysGuard vulnerability management platform includes a pre-defined scan profile that enables merchants and their consultants to scan payment systems as per MasterCard's requirements. Courtot said merchants and consultants are then given a blueprint for correcting found vulnerabilities. If they don't fix all medium-to-severe security risks discovered by the Qualys scan, they don't get a passing grade to report to the credit-card company.

For some clients, the first few scans can be dispiriting when they see the problems that need fixing. "It's kind of like going to the gym" after being away for a while, Courtot added. "After a while, though, it gets easier."

Once merchants have fixed the vulnerabilities, QualysGuard auto-generates an SDP compliance report that can be submitted directly to the acquiring bank.

Company officials said the Vendor Compliance Program process includes a rigorous evaluation cycle that spans across a wide range of Web servers, firewalls, and operating systems - an environment controlled and managed by MasterCard. Courtot said the SDP Compliance Testing program is an expansion of MasterCard's SDP Program, which it devised as part of the data-security deadline it created.

Avivah Litan, who covers online payments as vice president and research director at Gartner, said the payment card industry's security requirements (PCI, SDP, Visa CISP) apply to all merchants with an Internet facing IP, not just those doing e-commerce, making the magnitude of retailers this program's effects significant.

"The payment card industry's security standards are converging, which will simplify the compliance process, but achieving compliance with these standards can still be very costly for both merchants and acquiring banks," Litan said. "The more the process can be streamlined and automated, the easier it will be for everyone."

The Qualys release comes at a time when data security breaches have become all too common in the news recently, and as Congress mulls new legislation about protecting customer data. It all adds up to an industry sector keen to adopt new security measures as quickly as possible.

Enter on demand software. Courtot said on demand, or software as a service, is just starting to take hold in the online payments industry, as the software itself has improved from the rough days of the ASP model a few years back.

"The ASP model didn't work with existing software and hosting infrastructure, because for the most part, you couldn't make money at it," he said. The more customers a provider had, the more it cost the ASP to do business.

"Today, it's a completely different architecture," he added. Now, the model works for customers because for starters, there is no software for the customer to install. Secondly, he added, the software is of higher quality. Since you have to deploy it in an environment you don't control, the provider has to invest heavily in quality-assurance practices.

In addition to the online retailer vulnerability services, Qualys has also developed a library of pre-built applications that allow customers to determine the security status of specific corporate assets and compare them to internal policies and external standards.

Officials said the library, which leverages new and existing APIs to extend the reach of the QualysGuard platform, currently includes more than 15 applications with new applications being developed and delivered weekly to customers.

It includes regulatory reporting tools geared for compliance for Sarbanes-Oxley, HIPAA and other federal mandates that involve data retention.