Professional Documents
Culture Documents
10.01 Ebook PCI Ebook
10.01 Ebook PCI Ebook
compliance
2 Requirement 6.6
7 Choosing an assessor
Mastering
11 Compensating controls
Outsourcing
16
PCI
Compliance with the Payment Card Industry Data
Security Standard requires intimate knowledge of
the regulation and your organization’s environment.
BY INFORMATION SECURITY AND SEARCHSECURITY.COM
S P O N S O R E D BY
PCI
Now a requirement, 6.6 puts several PCI 6.6 requires organizations that
important choices in front of process credit card transactions to address
organizations. the security of Web applications, either via
manual or automated source code reviews PCI 6.6 requires
S
or vulnerability scans, or via the installation organizations that
of a Web application firewall (WAF) process credit
between a Web app and the client endpoint.
ay one thing for the PCI Security For the 18 months prior to June 30, 6.6
card transactions
Standards Council: They’ve got was a best practice. Now, many organiza- to address the
great timing. tions are acting like high-schoolers cram- security of Web
Requirement 6.6 of the Payment ming the night before a final exam, having applications.
Card Industry Data Security Stan- devoted only marginal attention to compli-
dard, which became mandatory on June 30 ance to date; experts unanimously say
and governs the security of Web-based compliance is low despite a solid level of
applications, arrived on the heels of one of awareness. The PCI Security Standards
the worst blind SQL injection attacks on Council is partially to blame; the require-
record. Those coinciding events made ment was ambiguous as to whether organi-
evident the glaring security shortcomings in zations were required to conduct a source
Web applications, and the lengths attackers code review and install a WAF. A clarifica-
will go to in order to target enterprise data. tion was ultimately issued in late April that
said either or would satisfy the intent of the payload is benign, it can be swapped out at
requirement. any time.
In the meantime, attacks on Web applica-
tions intensified and matured. April’s shot- CHECKMARK CHALLENGE
gun-style SQL injection attack that compro- Compliance with PCI 6.6, in the end, likely
“Many organiza-
mised thousands of websites established a won’t help against this particular attack, but
new frontier of trouble for Web applications. it is a wake-up call for organizations to tions start with a
Applications have been the attack vector address the code they build or customize. Web application
of choice for some time, but recently, hack- In the meantime, auditors may show some firewall to get a
ers have moved away from traditional SQL mercy with early assessments, but that checkmark. That
attacks that compromise individual websites. leniency won’t last for long. This is especially is not necessarily
Instead, working from lists of vulnerable bad news for smaller merchants, Level 3 and
PHP and ASP web pages compiled from 4, who don’t have the resources or expertise
raising the bar in
search engine queries, hackers based to either adequately review source code, or terms of security,
mostly in China have figured out how to purchase and properly configure a Web but they would
scale their attacks and improve their odds application firewall. be meeting the
for success. Manual source code reviews are extremely compliance
Frightening not only for its scale, but its expensive and time consuming. Automated
factor.”
effectiveness in injecting malicious code vulnerability scans are less so, but still tax the
—Danny Allan, director of
into database tables, organizations, in many bottom line. Web app firewalls, meanwhile, are security research,
cases, are hopelessly behind the eight-ball likely the quickest way to a compliance check- IBM Rational
as a result of these attacks. Cleanup is mark, and some experts say this is a fitting
close to impossible because a DBA would starting point until an organization matures
either have to scour a database row by sufficiently to tackle its proprietary code.
row and table by table to find the code “Many organizations start with a Web
and remove it, or restore a database from a application firewall to get a checkmark.
recent backup—if they have one. Essentially, That is not necessarily raising the bar in
infected databases have been backdoored terms of security, but they would be meet-
via a Web application, and even if the initial ing the compliance factor,” says Danny
Allan, director of security research with stand the context under which input is
IBM Rational. entered into an application, and legitimate
Allan points out that organizations should traffic could be dropped if a WAF believes
want to do both, but the most likely scenario the traffic violates policy. Also, some tools
is one where an organization grapples with fail to detect some serious Web app threats
“Smaller
how to compare the two options afforded such as cross-site scripting attacks.
by 6.6 and deciding which is the best “In my mind, you want to do both [6.6 merchants are
immediate fit. options], but this is an apples to oranges going to gravitate
“There’s no right answer,” Allan says. comparison,” Allan says. “Which gives you toward a WAF if
“Some recommend beginning with a Web more of a bang in the short term? That is the it will get them a
application firewall, but a WAF needs to be question that needs to be answered.” checkmark.”
configured properly to work. If you’re in a fluid Therefore, WAF sales are bound to see
—David Taylor, founder,
environment [one where applications change a bump in the coming 12 months. PCI Knowledge Base and
and grow in complexity], that can require a fair “Smaller merchants are going to gravitate research director, PCI
amount of time to configure. And ultimately, toward a WAF if it will get them a check- Security Vendor Alliance
you’re putting a Band-Aid on the issue. The mark,” says David Taylor, founder of the PCI
application still has the problem.” Knowledge Base and research director of
the PCI Security Vendor Alliance. “That is
WAFS THE QUICKER ROUTE where things are going. It’s not wrong; it’s
Web application firewalls, also known the most cost-effective way to go. I would
as deep-packet inspection firewalls, look at never tell a Level 3 or 4 merchant to spend
application layer messages for violations of more money than they have to.”
an established security policy. Some offer
signature-based protection, while others SECURE CODING
are fed a baseline of appropriate application Source code reviews, meanwhile, are the
behaviors and monitor for deviations. They’re ideal solution, experts say. For some time,
offered either as software or in an appliance. experts have urged organizations to include
WAFs struggle detecting certain types of security in the software development life-
attacks because they don’t always under- cycle. Automated scanners can test appli-
cations for vulnerabilities, in particular the use of automated scanning tools and the
Open Web Application Security Project deployment of a Web application firewall in
(OWASP) top 10 list of flaws. In fact, PCI the context of an overall vulnerability manage-
DSS 6.5 says Web applications should be ment program, says IBM Rational’s Allan.
developed based on guidelines such as “Security threats are changing daily.
“Web application
OWASP and applications should be PCI 6.6 is a strategic approach: How do I
secured against the vulnerabilities listed in address this fluid, changing paradigm of firewalls are not
the top 10, which is updated annually. security attacks that is going to be different going to stop all
But developers generally shun security tomorrow than today?” Allan says. “This is attacks. The same
because it hampers productivity and func- about building good, quality code. If we thing is true for
tionality. Manual reviews are difficult, though keep focusing on the security aspect and source code
sometimes they’re essential in order to catch not building quality apps, we’re forever
problems in the context of an application’s going to be chasing security vulnerabilities.”
reviews; someone
semantics. Expense aside, manual reviews Allan and other experts, however, concede needs detailed
require inspection, often of hundreds of that’s an idealistic view. For the meantime, knowledge of the
thousands of lines of code, and it’s virtually organizations bound by PCI are going to do business logic to
impossible to follow all the logic paths an what it takes to get a checkmark, and think do and appropri-
application can take, says Barmak Meftah, compliance first, security second.
ate review.”
senior VP of products and services at Fortify, “Web application firewalls are not going
—Sumedh Thakar,
a vendor of static and dynamic source code to stop all attacks. The same thing is true PCI solutions manager,
analysis tools. for source code reviews; someone needs Qualys
“The main type of vulnerability a hacker is detailed knowledge of the business logic to
getting hold of is an input field—putting in mal- do and appropriate review,” says Sumedh
formed input and getting the app to do unin- Thakar, PCI solutions manager at Qualys.
tended things,” he explains. “That packet is “Neither one seems to be perfect solution.
now using different paths than intended, and It definitely comes down to the resources
connecting those dots optically is impossible.” people have. The ideal way is to do every-
The big picture is that organizations don’t thing. Do source code reviews as part of
look at 6.6, and source code reviews and the your software development lifecycle. Do
PCI assessors stand between and approval of QSAs, who issue the
you and compliance. Ensure Report on Compliance to acquiring banks
and card brands.
your assessor is a match to Just as a company checks out the back- Don’t rush to
your organization’s needs. ground of employee candidates, it should hire an assessor
delve into the background of potential without first
O
assessors. Find out their level of technical
expertise and whether they’ve been internal digging into their
auditors, system administrators or network background,
rganizations looking for a PCI architects, says Dave Shackleford, director experience and
assessor should do some home- of Configuresoft’s Center For Policy & compliance
work ahead of time to ensure they Compliance. And get references. philosophy,
choose the one who best suits “A lot of people don’t dig that deeply,”
their needs. Don’t rush to hire he says.
experts advise.
an assessor without first digging into their
background, experience and compliance MATCH EXPERIENCE AND INDUSTRY
philosophy, experts advise. When reviewing an assessor’s back-
“Blindly going at it is probably the wrong ground, it’s important to look at what
approach,” says Randall Gamby, analyst at industries he or she has worked in. If a
research and consulting firm Burton Group. manufacturer taps a PCI assessor that has
Organizations bound to PCI, such as large specialized in financial services, there may
merchants and service providers, work with not be a “one-to-one match in the kind of
Qualified Security Assessors. The PCI methodology” the firm uses, Gamby says.
Security Standards Council governs training “Make sure the person in question knows
your industry,” says David Taylor, founder tions can also ask if a QSA holds certifica-
of the PCI Knowledge Base and research tions such as the CISSP, CISA and Certi-
director at the PCI Security Vendor Alliance. fied Internal Auditor.
He adds that he’s seen complete mismatch- In April, the PCI Security Standards Coun-
es, such as a retailer audited by a specialist cil launched a database of individual QSAs.
QSAs must be
from the aerospace industry who decided to Companies can go to the council’s website
try his hand at security. https://www.pcisecuritystandards.org/ and certified by the
Another consideration is the assessor’s look up assessors by their name, certificate PCI Security
location, says Troy Leach, technical director number and their company to verify that they Standards
at the PCI Security Standards Council. A are currently certified. Leach says merchants Council; organiza-
global organization might find it more expen- need to know the name of the assessor to tions can also ask
sive to hire an assessment firm that operates search the database but the council planned
only in North America; a company that oper- to add new features that will allow a search
if a QSA holds
ates in multiple countries needs a firm that by company. certifications such
can handle audits and understand the The council’s website is a good place to as the CISSP,
language in those countries. start looking for an assessor. Gamby sug- CISA and
It’s also important to check the experience gested that organizations could also check Certified Internal
of the individual assessors working at an with their internal audit and compliance
Auditor.
assessment firm to avoid any surprises. departments for referrals. “Most large organ-
“Who is actually going to do the review? Is izations have a compliance or audit group.
it Joe fresh out of college, or Mary who has See if they have someone to start with. It
been doing this for 10 years?” Taylor says. might make sense from an overall security
While Taylor acknowledges that QSA posture to have the same auditor.”
firms can’t control employee turnover, he
recommended that companies get some TWO QSAs BETTER THAN ONE
assurance about the level of staff expertise, But before starting a search for a QSA,
even if the firm can’t guarantee a particular a company should conduct an analysis of
assessor. QSAs must be certified by the its environment, Leach says. Knowing what
PCI Security Standards Council; organiza- systems contain cardholder information will
technology perspective while others are ing, ‘Did I really pass muster, or did they just
more process oriented, and that organiza- want to get out of here and give us the
tions need to understand which approach check box to sign and move on?’ ” Shackle-
a prospective assessor uses. ford says. “Volume isn’t necessarily the most
A technology-focused assessor may look applicable factor. It’s the quality of the work,
“Some just use
for a Web application firewall when it comes similarity across verticals and backgrounds
to PCI DSS Requirement 6.6 while a of the teams.” what I consider
process-oriented will look more closely at Shopping around for a cheap deal isn’t common sense.
the software development lifecycle, he says. the best strategy in looking for a PCI asses- Others are look-
PCI 6.6 requires organizations to address sor, says Ken Smith, principal security con- ing to check off
the security of Web applications, either via sultant for IT solution provider Akibia. He boxes. So you
manual or automated source code reviews says it’s unnerving to see some assessment
or vulnerability scans, or via the installation firms working so quickly and cheaply.
really have to
of a Web application firewall (WAF) Shackleford says PCI assessments understand
between a Web app and the client endpoint. range in cost, anywhere from $10,000 to what kind you’re
PCI 6.6 became a requirement on June 30. $500,000. Usually they involve a two- to working with.”
“Some just use what I consider common four-week preparation phase, in which docu- —Randall Gamby,
sense. Others are looking to check off mentation is exchanged, and an onsite phase analyst, Burton Group
boxes,” he says. “So you really have to of two to three weeks. Some organizations
understand what kind you’re working with. with a lot of sites that require travel may take
Configuresoft’s Shackleford warned that up to six weeks for the onsite portion.
some large assessment firms rely on check- “You get what you pay for,” he says. “If
lists as they churn out PCI reviews, and have someone comes in and says they’re going
built reputations for validating organizations to do the whole thing in two weeks, it should
as compliant. raise red flags.”m
Companies shouldn’t consider volume of
work as a top consideration when choosing
an assessor, he says. Marcia Savage is features editor of Information
“At the end of the day, you’re left wonder- Security.
Loophole or life-saver:
Compensating controls
BY DENNIS FISHER AND ROBERT WESTERVELT
A
when the council declared compensating reasons for a
controls could not be used unless an organi-
zation had already failed one assessment.
company to use
s compliance with the Payment In practice, there are only two reasons for a compensating
Card Industry Data Security a company to use a compensating control: control: a busi-
Standard (PCI DSS) has become a business or technical constraint, or a ness or technical
more complex, an increasing physical impossibility to implement a primary constraint, or a
number of businesses rely on control. For example, a retailer with 5,000
compensating controls to satisfy require-
physical impossi-
locations would have a physical problem
ments they’d otherwise have no way of deploying encryption on all its legacy point bility to implement
meeting. of sale systems resulting in the use of a a primary control.
Designed to enable companies to comply compensating control, says James DeLuccia,
with the spirit and intent of the requirements, a PCI expert and author of IT Compliance
compensating controls have also become and Controls.
something of a hot-button issue as some But some companies need to do a better
job understanding the intent of the primary can force all connections to go through an
control before deploying something else authentication phase before the password.
and calling it a compensating control. Often, That meets the requirement.”
they fail to provide good documentation The current process for an assessor to
described in the compensating controls approve PCI compensating controls intro-
worksheet that identifies and supports how duces potential problems. Organizations
“A common
the cardholder data will be protected using may change auditors year after year, so a mistake is think-
a different method, DeLuccia says. level of uncertainty exists in the acceptance ing that compen-
of these controls, DeLuccia says. Also, it sating controls
COMPLIANCE CHECKLIST is in the auditor’s interest to accept the are temporary—
Companies should begin by identifying the compensating control, because he serves not necessarily.
issues that may preclude compliance with the client and has an incentive to accept it.
the requirement, DeLuccia says. Then define Finally, DeLuccia says compensating con- They may remain
the objective being met by the compensat- trols require more mature control environ- in place so long
ing control and conduct a risk analysis to ments. This could mean additional process- as they satisfy the
determine any additional risks. Test, docu- es and technologies to fully address the risk. risk appropriately.”
ment and explain how the compensating “A common mistake is thinking that —James DeLuccia,
control meets the objective. The explanation compensating controls are temporary—not PCI expert and author of
should address how the compensating necessarily. They may remain in place so IT Compliance and
control meets the original objective and the long as they satisfy the risk appropriately,” Controls
identified expanded risks, DeLuccia says. DeLuccia says.
“PCI requires seven-character passwords.
Some people have mainframes that don’t DON’T FORGET DOCUMENTATION
allow passwords longer than six characters, In recent months, the PCI Standards
so you automatically can’t satisfy that with- Council has addressed the methodology
out replacing the mainframe,” says Michael of determining and documenting compen-
Gavin, a security strategist at Security Inno- sating controls and that is creating better
vation and a Qualified Security Assessor transparency. This is better for everyone
(QSA). “A compensating control is if you involved because it protects the QSA from
accepting a set of compensating controls before and maybe what they were doing
with less risk, while ensuring payment was good enough and can be augmented.”
operators are not singled out and penalized The PCI Security Standards Council is
unnecessarily, DeLuccia says. trying to address the inconsistencies among
Roger Nebel, an independent PCI DSS QSAs. It’s developing a training program
The PCI Security
auditor and director of strategic security at and an assessor evaluation program. An
FTI Consulting, agrees that PCI compensat- assessment team appointed by the council Standards
ing controls should be chosen very carefully will evaluate feedback from merchants on Council is likely
and always be well-documented. The com- assessors. Negative feedback could result to address
pany should understand the strength of the in probation and revocation process for ineffective
primary control and what it’s intended to do. assessors. compensating
Once implemented, an assessor has to The PCI Security Standards Council is
evaluate whether the compensating control likely to address ineffective compensating
controls in the
meets the objective of the primary control controls in the next release of the standard next release of
and whether other entry points are opened due in October. Experts say that as the the standard due
to the sensitive data, Nebel says. standard evolves, the use of compensating in October.
Still, whether a compensating control controls will become less clouded.
passes muster will be up to each individual Although it’s not an official compensating
assessor and ultimately the strength of the control, Nebel points out that network seg-
organization’s documentation. mentation is one form of a compensating
“They certainly need to be reviewed every control. Segmenting shouldn’t be taken
year. As long as you are meeting the intent lightly, he says. Sometimes company execu-
of the requirement as stated, it’s normally tives believe they have segmented off the
OK,” says Gavin. “The real purpose is to cardholder data, but the QSA discovers
allow people to be compliant without forcing entry points to the main network.
them to buy new products. If you have to be “You’re narrowing down the scope of the
compliant, meeting the letter could cost you systems you’re going to look at,” Nebel says.
a fortune and the controls are an acknowl- “You’re isolating the cardholder data from
edgement that people were doing security normal network activity either through a
Outsourcing is a slippery
compliance slope BY MARCIA SAVAGE
Providers are required to be “The bottom line is any third party that’s
compliant with PCI, but that handling the data has to be just as compli-
ant as you do. Period,” he says.
doesn’t liberate merchants from Companies that share cardholder data “If you have a
liability in the event of a breach. with service providers are obligated to service provider
contractually require that the service
Y
that will be dealing
provider adhere to PCI Data Security
Standard requirements.
with cardholder
our organization may be PCI “If you have a service provider that will be data, you have an
compliant, but is the company it dealing with cardholder data, you have an obligation in your
outsources to? obligation in your contract to say they must contract to say
Outsourcing has become a hot be PCI compliant and an obligation to actu- they must be PCI
topic in the world of PCI compli- ally validate where they are in compliance,”
compliant and an
ance as more organizations, including says Phil Cox, principal consultant at security
consulting firm SystemExperts. obligation to actu-
smaller merchants, grapple with the pay-
ment card industry’s standard for keeping Companies typically obtain a SAS 70, ally validate where
cardholder data secure. With those smaller which usually satisfies PCI auditors, Shack- they are in compli-
merchants likely to outsource some credit leford said. In some cases, though, they may ance.”
card processing functions, the topic has require a specific PCI audit of the third party. —Phil Cox, principal
taken center stage, says Dave Shackleford, Before engaging in outsourcing activities, security consultant,
director of Configuresoft’s Center For companies should consult with their acquir- SystemExperts
Policy & Compliance. ing banks, Shackleford advises. The acquir-
ing bank is ultimately the liable party in the for many businesses, especially those that
event of a breach, and the banks differ in outsource payment card functions. In a Feb.
their requirements, he says. 12 report, Avivah Litan, vice president and
“See how they would like to proceed on distinguished analyst at Gartner, says the
getting a third-party, objective audit of the new SAQs replaced “an unrealistic one-size-
Earlier this year,
outsourced environment,” he says. fits-all questionnaire that did not reflect the
reality of card-accepting businesses’ opera- the PCI Security
ALL OR NONE tions and was not aligned with the PCI DSS Standards
At the same time, however, companies can itself.” Council released
reduce the scope of their PCI requirements Litan noted that the new SAQs distinguish four new PCI
by outsourcing all payment card processing between e-commerce merchants that out- self-assessment
functions—a trend Cox expects many in the source all payment processing and card
industry will follow because it’s cheaper and data storage to a PCI-compliant payment
questionnaires
quicker. “They’re moving it off and saying service provider and e-commerce or brick- that experts says
they’re not in the business of processing and-mortar merchants that have payment are streamlining
credit cards.” systems that connect to the Internet but compliance for
By having a third party handle all transmis- don’t store any data. She expected the many businesses,
sion, storage and processing of cardholder new SAQ process to drive more card data
especially those
data, a merchant will greatly reduce the outsourcing.
scope of its PCI self-assessment, says For example, the SAQ for organizations that outsource
David Taylor, founder of the PCI Knowledge that outsource all cardholder data functions payment card
Base and research director at the PCI Secu- is very short and includes questions about functions.
rity Vendor Alliance “You still have to file a the type of business and whether the third
self-assessment questionnaire, but you can party handling cardholder data is PCI DSS
file the simple one,” he says. compliant. The SAQ for organizations with
Earlier this year, the PCI Security Stan- point-of-sale systems connected to the Inter-
dards Council released four new PCI self- net but no electronic cardholder data storage
assessment questionnaires (SAQ) that asks for confirmation that the payment appli-
experts says are streamlining compliance cation does not store sensitive authentica-
tion data after authorization, and whether a must have processes to provide timely foren-
merchant is compliant with the 12 PCI DSS sics investigation in the event of a breach to
requirements. If not compliant for any of the any hosted merchant or service provider.
12, a merchant must provide a remediation Appendix A notes that a hosting provider
plan and timeline. meeting the standard’s requirements does-
If there’s a
n’t necessarily guarantee compliance for
DON’T BUY THE SALES PITCH a merchant; each entity must comply with problem with
Merchants should be wary, however, of PCI DSS. that [outsourcing]
vendors who claim that outsourcing will “When you outsource, you need to make company, your
eliminate their PCI problems, warns Ken sure the company you’re doing business brand gets
Smith, principal security consultant for IT with is PCI compliant,” Taylor says. “You dragged through
solution provider Akibia. need some form, signed letter, or compli-
“A couple vendors have said, ‘We hold the ance certificate.”
the mud.”
data, so you don’t have worry about PCI Organizations should ask for the service —David Taylor, founder,
PCI Knowledge Base and
anymore’,” he says. “The merchant with the provider’s Report on Compliance issued by research director, PCI
online presence is ultimately responsible for its QSA, Shackleford says. Security Vendor Alliance
taking care of their customers.” Some companies are requiring more vali-
Visa maintains a list of service providers dation and are conducting detailed evalua-
that are PCI compliant, but places the tions and even physical visits to the third
responsibility on members to follow up with party. Some financial-services firms and
service providers with any questions about large retailers send audit teams to physically
their compliance status. The PCI DSS inspect whether their third parties are
Requirement 2.4 requires hosting providers compliant.
with access to cardholder data to protect “If you’ve outsourced parts or all of what
each merchant’s hosted environment and you’re doing from a card processing stand-
data; Appendix A specifies that hosting point, you can’t just rely on that letter,” Taylor
providers must ensure logging and assess- says. “If there’s a problem with that [out-
ment trails are enabled and unique to each sourcing] company, your brand gets
entity’s cardholder data environment, and dragged through the mud.”
The Breach Security Guide to PCI Compliance for Web Applications (Updated for PCI
DSS Version 1.2) Get Control of Mobile Data (and More)
Learn about the PCI web application security requirements and your options for compliance. Learn how to improve security and reduce costs with a mobility management platform (Video webcast).
The Aegenis Group’s Evaluation of Breach Security WebDefend Relative to the Managing Mobility – An Introduction to Fiberlink
Payment Card Industry Protect data on mobile devices and reduce the cost of compliance, security and connectivity.
Read an independent evaluation by the worldwide PCI Qualified Security Assessor (QSA) trainers.
Stephen S. Wise Temple Chooses WebDefend for Non-Intrusive and Effective Web
Application Security
Stephen S. Wise Temple achieves PCI compliance and protects its members with Breach Security.
Rapid7 Sentrigo
Using an Expert System for Deeper Vulnerability Scanning Hedgehog Enterprise
NeXpose Unified Vulnerability Management performs accurate scanning using an expert system to
achieve better results than traditional procedural methods.
PCI DSS Solution
Web Application Scanning—Securing Your Web Site from Malicious Intruders
Find out what a security administrator needs to know about Web applications and how to successfully
IT Download
protect your network from Web application vulnerabilities.
White Paper: Practical Guide to Database Security and Compliance
Securing Web 2.0 Applications—Closing the Door to Dangerous Visitors Fulfill Audit Requirements Quickly and Efficiently.
Although Web 2.0 applications offer rich capabilities, Web 2.0 applications contain flaws that are hard
to detect automatically, making them easier to attack.
Webcast
Penetration Hurts: Best Practices to Protect Sensitive Data and Achieve PCI Compliance
With no other simple guide to securing your networks, find out how companies can use the PCI DSS as
a guide and develop a network security plan that protects your IT assets.
Solidcore Thawte
Easily and cost-effectively meet PCI requirements 1, 10 and 11 Securing your Online Data Transfer with SSL
Take a tour and get a free trial of the leading file integrity monitoring and audit trail solution. This white paper provides an introduction to SSL security covering the basics of how it operates and
how to deploy appropriate SSL certificates.
Securing your Microsoft IIS Web Server with a thawte Digital Certificate
Continuous File Integrity Monitoring is the new approach to PCI compliance In this guide you will find out how to test, purchase, install and use a thawte Digital Certificate on your
Find out why leading retailers are adopting this real-time approach to difficult PCI requirements. Microsoft Internet Information Services (MS IIS) web server.
Tripwire Utimaco
Configuration Control for Virtual and Physical Infrastructure SafeGuard LeakProof Product Info
Download this trial software and understand the proper configuration of virtualizaton platforms.