News from the Wire

Qualys solution streamlines PCI DSS certification, validation process

Monday, April 20, 2009 — 12:12:47 (EDT)

San Francisco, Apr. 20, 2009 -- Qualys, Inc., the leading provider of on demand IT security risk and compliance management solutions, today announced QualysGuard(R) PCI Connect which is the industry's first Software-as-as-Service (SaaS) ecosystem for PCI compliance connecting merchants to multiple partners and security solutions in order to document and meet all 12 requirements for PCI DSS. Qualys is unveiling this new product at the RSA Conference this week at booth # 1717.

QualysGuard PCI Connect is an on demand ecosystem bringing together multiple security solutions into one unified end-to-end business application for PCI DSS compliance and validation. As a new addition to the widely adopted QualysGuard PCI service, PCI Connect streamlines business operations related to PCI compliance and validation for merchants and acquirers all from a combined collaborative application with automated report sharing and distribution. PCI compliance status and tracking is performed on an ongoing basis. Merchants who use QualysGuard PCI Connect can easily identify areas where they may not be meeting compliance requirements. Acquirers who use QualysGuard PCI Connect can easily evaluate whether merchants have met PCI requirements and whether sufficient evidence has been submitted for validation.

"At Merchant e-Solutions we are striving to have all our merchants compliant in 2009 and we are constantly searching for solutions that will complement our internal PCI DSS administration infrastructure," said Jim Aviles, manager of products and technology for Merchant e-Solutions, a provider of traditional and internet-based payment services for banks and merchants. "QualysGuard PCI Connect will give our e-commerce merchants an easy to use tool to conduct vulnerability scans and document PCI compliance at a lower cost, it will also enable us to integrate the tracking and validation of their compliance status."

QualysGuard PCI Connect is an open platform with XML APIs that will allows partners and solution providers to provide automated data feeds into QualysGuard PCI Connect to demonstrate compliance. In addition, merchants will be able to identify gaps in the PCI compliance program and easily connect to security solutions that can meet their needs. "Compliance with the PCI data security standard is a continuous process, and not a one-time event," said Avivah Litan, VP and distinguished analyst, Gartner Inc. "Security monitoring should be a continuous process and automated as much as possible so that human analysis and intervention is focused on high risk activities."

QualysGuard PCI Connect offers merchants and acquires the following benefits:

• Automates the collection of data for validations PCI DSS compliance
• Merchants see detailed results including related evidence for all requirements of PCI throughout the entire organization when answering SAQ
• Provides workflow for merchants to track comprehensive compliance status on an ongoing basis
• Open API to work with any security solution or vendor
• Acquiring bank has additional security controls of merchants when validating merchants for compliance

At the RSA Conference, six security vendors that provide PCI DSS solutions have partnered with Qualys to provide automated data feeds into QualysGuard PCI Connect. These partners include:

• AirTight Networks is integrating its SpectraGuard(R) Online service, the only WIPS offered as SaaS today, into QualysGuard PCI Connect. SpectraGuard Online automates compliance with PCI Requirement 11.1 that mandates a minimum quarterly wireless scan of all locations or the deployment of a wireless IDS/IPS.
• Core Security Technologies' flagship IMPACT Pro is the leading commercial-grade penetration testing software solution on the market today. Merchants looking to comply with requirement 11.3 of the PCI mandate, which calls for regular penetration testing, use Core IMPACT Pro for robust, repeatable and measurable assessment of their networks and web applications.
• Imperva SecureSphere Data Security Suite addresses PCI DSS section 6.6 via Web application firewall and sections 10 and 3.4 via database activity monitoring and database firewall solutions.
• RedSeal Systems automatically analyzes how firewalls and routers work together to grant or prohibit access to every point within an organization's network. Using this information, it validates if a network configuration complies with the network security requirements of PCI DSS requirement 1.
• Splunk provides an overall view of your PCI compliance posture across all requirements. Specifically: PCI log management, file integrity monitoring and control reporting. PCI DSS Requirements, 7.1, 10.2, 10.5, 10.6, 10.7, 11.5
• Third Brigade provides comprehensive server and application protection, including integrity monitoring, IDS/IPS, Web application protection, application control, stateful firewall and log inspection, in a modular, centrally-managed software solution that addresses PCI DSS requirements 1, 2, 6, 10, 11, and 12.

"Listening to our customers who are dealing with PCI DSS, it became clear to us that a centralized solution to collect the data for various PCI requirements was needed to streamline the process and give merchants more technology options for PCI validation," said Philippe Courtot, CEO and chairman of Qualys. "We are thrilled to work with all the leading PCI DSS solution providers to deliver such a collaborative solution for merchants and acquirers to facilitate, manage and track PCI compliance at all levels."

QualysGuard PCI Connect is an extension for the QualysGuard PCI on demand platform that provides businesses, online merchants and acquirers with the easiest, most cost-effective and highly automated way to validate PCI DSS compliance. Qualys is an Approved Scanning Vendor (ASV) and is fully certified to assess PCI DSS compliance. Currently, 68 percent of all PCI DSS ASVs and 49 percent of QSAs utilize QualysGuard to deliver PCI certification and automated Web application scanning to their global clients.

Availability

QualysGuard PCI Connect will be available in July 2009.

Partner Quotes

"AirTight is delighted to be part of the QualysGuard PCI Connect ecosystem, which recognizes that wireless is an integral element of a comprehensive security and compliance solution," said David King, chairman and CEO of AirTight. "Navigating through the multiple provisions of PCI DSS can be daunting. By bringing together partners such as AirTight who provide best-in-class security solutions, Qualys is offering an integrated framework that will allow customers to meet the compliance requirements of PCI DSS, including the new standards that specifically apply to wireless, very easily."

"Merchants and acquirers use Core Impact Pro to comply with the penetration testing elements of the PCI DSS standard and actively test the effectiveness of many security mechanisms required by the mandate," said Jeff Clark, VP business development of Core Security Technologies. "As a member of PCI Connect, we are now better positioned to help merchants address additional elements of the PCI compliance process as well as to enhance these organizations' abilities to measure their real-world cyber-risk."

"Customers look to Imperva SecureSphere as the industry standard for Web application firewall, database activity monitoring and database firewall solutions for PCI compliance," said Rohit Gupta, VP business development at Imperva. "Imperva is pleased to partner with Qualys to help customers streamline their PCI validation process via a centralized solution for data collection and tracking."

"RedSeal is pleased to be partnering with Qualys on PCI Connect," said Steve Dauber, vice-president of marketing for RedSeal Systems. "In conjunction with other ecosystem members, RedSeal's automated assessment of DSS requirement 1 will help assure acquiring banks that valuable cardholder data is stored and transmitted safely."

"Meeting today's PCI compliance mandates extends far beyond simple log collection, retention and analysis. PCI solutions need the flexibility to be able to respond to ad-hoc requests from auditors and easily adapt when requirements change," said Michael Baum, chief corporate and business development officer and co-founder of Splunk. "We are excited to be a part of the Qualys PCI Connect Program to offer customers our flexible IT Search technology, Splunk for PCI, which easily adapts to new control objectives and policy monitoring and provides powerful ad-hoc reporting capabilities to meet audit requests in minutes, instead of hours or days."

"Our customers, from Fortune 100 companies to universities and HMOs, want to achieve and maintain PCI compliance more easily, more quickly and more cost-effectively, but no single vendor carries all pieces of the puzzle," said Dhanya Thakkar, vice president business development, Third Brigade. "QualysGuard PCI Connect is a groundbreaking ecosystem and the resulting integration will simplify the management and ultimately reduce the cost of compliance."

About Qualys

Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions - delivered as a service. Qualys' Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures.

The QualysGuard(R) service is used today by more than 3,500 organizations in 85 countries, including 40 of the Fortune Global 100 and performs more than 200 million IP audits per year. Qualys has the largest vulnerability management deployment in the world at a Fortune Global 50 company.

Qualys has established strategic agreements with leading managed service providers and consulting organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, SecureWorks, Symantec, Tata Communications, TELUS and VeriSign. For more information, please visit www.qualys.com .

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information: bankcardlife.com?orid=33533&opid=1 .

Source: Company press release.