Policing Credit-Card Data — On Demand

Software on demand isn’t just about CRM software.
Vulnerability management providers are getting in on the action, too.

Take Qualys, which makes on demand vulnerability management and policy
compliance solutions.

The Redwood City, Calif-based company has just launched its spring
release of QualysGuard 4.0, and with it, a policy-compliance software
development kit (SDK) and application library and real-time executive
dashboard to help managers keep their data straight.

In addition, the company announced that it has successfully completed the
MasterCard Site Data Protection (SDP) compliance testing process and
extended its QualysGuard on demand vulnerability management platform to
include automated, self-service SDP compliance testing and reports.

What that means, company officials explained, is that Qualys is certified
to help online merchants and their consultants evaluate the security of Web
sites that store MasterCard account data, and achieve compliance with the
Payment Card Industry (PCI) Data Security Standard. The deadline for online
merchants to show major credit-card providers such as Visa and MasterCard
that they have secured customer data is June 30.

As of that date, for example, MasterCard will require online merchants
processing over $125,000 in monthly MasterCard gross volume to perform an
annual self-assessment and quarterly network scan.

For many online merchants, that means either hiring more IT staff to
perform the work, buying new software to boot, or perhaps going the software-
by-subscription route.

As it positions for providing the vulnerability assessments on demand,
Qualys CEO and Chairman, Philippe Courtot, said the company has achieved
compliance status by proving its ability to detect, identify and report
vulnerabilities common to flawed Web site architectures and configurations.

“These vulnerabilities, if not patched in actual merchant Web sites,
could potentially lead to an unauthorized intrusion,” he said. “By
proactively identifying and providing the opportunity to remedy such
vulnerabilities, SDP-compliant products offer a means for reducing risk of
intrusion and data compromise.”

For example, the QualysGuard vulnerability management platform includes a
pre-defined scan profile that enables merchants and their consultants to
scan payment systems as per MasterCard’s requirements. Courtot said
merchants and consultants are then given a blueprint for correcting found
vulnerabilities. If they don’t fix all medium-to-severe security risks
discovered by the Qualys scan, they don’t get a passing grade to report to
the credit-card company.

For some clients, the first few scans can be dispiriting when they see
the problems that need fixing. “It’s kind of like going to the gym” after
being away for a while, Courtot added. “After a while, though, it gets
easier.”

Once merchants have fixed the vulnerabilities, QualysGuard auto-generates
an SDP compliance report that can be submitted directly to the acquiring
bank.

Company officials said the Vendor Compliance Program process includes a
rigorous evaluation cycle that spans across a wide range of Web servers,
firewalls, and operating systems – an environment controlled and managed by
MasterCard. Courtot said the SDP Compliance Testing program is an expansion
of MasterCard’s SDP Program, which it devised as part of the
data-security deadline it created.

Avivah Litan, who covers online payments as vice president and research
director at Gartner, said the payment card industry’s security requirements
(PCI, SDP, Visa CISP) apply to all merchants with an Internet facing IP, not
just those doing e-commerce, making the magnitude of retailers this program’s
effects significant.

“The payment card industry’s security standards are converging, which
will simplify the compliance process, but achieving compliance with these
standards can still be very costly for both merchants and acquiring banks,” Litan said. “The more the process can be streamlined and automated, the easier it will be for everyone.”

The Qualys release comes at a time when data security breaches have
become all too
common
in the news recently, and as Congress mulls
new legislation about protecting customer data. It all adds up to an
industry sector keen to adopt new security measures as quickly as possible.

Enter on demand software. Courtot said on demand, or software as a
service, is just starting to take hold in the online payments industry, as
the software itself has improved from the rough days of the ASP model a few
years back.

“The ASP model didn’t work with existing software and hosting
infrastructure, because for the most part, you couldn’t make money at it,” he
said. The more customers a provider had, the more it cost the ASP to do
business.

“Today, it’s a completely different architecture,” he added. Now, the
model works for customers because for starters, there is no software for the
customer to install. Secondly, he added, the software is of higher quality.
Since you have to deploy it in an environment you don’t control, the
provider has to invest heavily in quality-assurance practices.

In addition to the online retailer vulnerability services, Qualys has
also developed a library of pre-built applications that allow customers to
determine the security status of specific corporate assets and compare them
to internal policies and external standards.

Officials said the library,
which leverages new and existing APIs to extend the reach of the QualysGuard
platform, currently includes more than 15 applications with new applications
being developed and delivered weekly to customers.

It includes regulatory reporting tools geared for compliance for
Sarbanes-Oxley, HIPAA and other federal mandates that involve data
retention.

News Around the Web