Qualys today rolled out a release of its vulnerability-scanning platform that automates the compliance process for customers in the payment card industry.
Aimed at retailers and companies that process credit-card data, the PCI standard is a set of technology requirements for securing networks and applications, protecting cardholder data, maintaining a vulnerability-management program, and regularly validating compliance via a third-party assessment. It consolidates different security guidelines from credit card companies. American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International oversee PCI development
The QualysGuard PCI On Demand platform scans the network of merchants and other organizations storing customer credit cards to ascertain their desktop and server security. The QualysGuard On Demand service then fills out an online form and submits it to banks and Visa, MasterCard, and other card-payment institutions supporting the PCI standard. According to Amer Deeba, Qualys chief of marketing, the previous process Qualys used was far more manual, requiring security managers to fill out forms and submit them.
“We’ve now automated it, including the automated submission of the form,” said Deeba. The QualysGard PCI scanning process, which starts at $495 for three IP addresses, will satisfy most PCI scanning requirements except those for high-volume card processing, which under PCI guidelines requires an on-site inspection, said Deeba.
Qualys customer Tribune Broadcasting, a division of the Tribune Co., scans for PCI compliance quarterly, CIO Josh Seeger says.
“We are a very distributed company, and we have many businesses that engage in many credit-card transactions,” Seeger says. “The primary requirements have to do with making sure our infrastructure is secure.”
Typically, a PCI-related scan will uncover new vulnerabilities that need to be corrected; that responsibility is delegated to the local IT level. When remedies are in place and the PCI scan comes back clean, the PCI compliance report is submitted to Tribune Broadcasting’s banks.
“It’s required by the payment card industry that we have a certified company performing the scans,” says Seeger. Failure to satisfy PCI compliance could lead to potential fines or other liability, he says.