What Is the Payment Card Industry Security Standards Council?
The Payment Card Industry (PCI) Security Standards Council is an independent body dedicated to the creation and implementation of electronic payment security standards. Founding members include representatives from American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
What Is the Payment Card Industry Data Security Standard?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements established by the PCI Security Standards Council. The standard is designed to protect sensitive account data such as credit card numbers, customer names, and contact information from being exposed to unauthorized users.
The PCI DSS requires that network security be in place, properly configured, and periodically audited. In addition, there are security provisions specifically targeted at the web applications themselves.
Why Is It Important?
Organizations that wish to accept online payments with credit and debit cards need to comply with these requirements. Fines for non-compliance can be steep, with penalties reaching hundreds of thousands of dollars per card vendor.
Furthermore, implementing the regular, third-party security assessments (Section 6.6) can be very expensive. And, fixing the vulnerabilities they find can significantly impact deadlines and increase the cost of development.
The current version of the PCI DSS (version 1.1, released in September 2006) now allows organizations to choose between the regular security assessments and the deployment of a web application firewall. This revision provides organizations with the opportunity to easily implement a single, one-time solution to secure their applications. On June 30, 2008, deployment of a web application firewall will be required.
How Breach Security's WebDefend Enterprise Helps Organizations Meet the PCI DSS
WebDefend Enterprise is an advanced web application firewall that offers customized, behavior-based security for each protected application. Only WebDefend uses a patented profiling system and multiple, collaborative detection engines to ensure the flow of business-critical traffic while supplying complete protection for applications to keep payment card information safe from targeted attacks. Deployable out-of-line, WebDefend uniquely provides non-intrusive, effective security for multi-application environments.
WebDefend not only helps organizations comply with Section 6.6 of the PCI DSS, but also helps them meet several other requirements of the standard:
| Requirement | WebDefend Provides the Solution |
| Do not use vendor-supplied defaults for system passwords and other security parameters (Requirement 2) |
|
|
Protect stored cardholder data (Requirement 3) |
|
|
Encrypt transmission of cardholder data across open, public networks (Requirement 4) |
|
|
Develop and maintain secure systems and applications (Requirement 6) |
|
|
Track and monitor all access to network resources and cardholder data (Requirement 10) |
PCI Compliance Report: Details WebDefend findings by requirement to provide an immediate picture of the system's level of compliance. Credit Card Usage Audit Report: Lists every use of a credit card number by a user. As required by the standard, the actual card details are masked in the report. Sensitive Information Report: Details every page in a web application where sensitive information is presented to the user. This reports helps ensure that the application doe not violate the PCI DSS by displaying more credit card information to the user. |
|
Regularly test security systems and processes (Requirement 11) |
|
|
Maintain a policy that addresses information security (Requirement 12) |
|