Qualys Extension to Its PCI Compliance Set to Help SMBs
With Qualys' new PCI Connect extension to its PCI Compliance solution, smaller retailers may have a newfound ability to build complete documents proving their compliance with the most recent PCI specification--provided they enlist the right products and services to cull the data.This month at the RSA show in San Francisco, intrusion prevention vendor Qualys announced an extension to its PCI Compliance solution called PCI Connect. The announcement of the extension--which should be available in the July timeframe--essentially boiled down to an inter-vendor effort to integrate communications among vulnerability assessment and remediation products. However, smaller retailers may soon reap the benefits of the initiative with the newfound ability to build complete documents proving their compliance with the most recent PCI specification--provided the retailers enlist the right products and services to cull the data. There are numerous products available today that provide data to help retailers track their PCI compliance, but, typically, these products look at only part of the PCI puzzle. The latest draft of the PCI specification (version 1.2), released in October 2008, mandates that merchants verify their security across multiple platforms and networks. This means merchants must demonstrate their security wherever privileged card data may traverse--be it across routers, wireless LANs, servers or desktops. For those merchants trying to prove compliance without the aid of an auditor or consultant, it is up to IT staff or business personnel to compile the requisite data from each utilized security tool to document the security measures taken as well as the resultant findings.
For instance, when I reviewed AirTight's SpectraGuard Online wireless intrusion prevention service, I found that the service could generate reports tailored for the particulars of various regulations, including PCI. These reports identified findings in possible conflict with the letter of the regulation (such as unauthorized client connections or weak encryption implementations), and administrators could schedule the reports to be generated periodically and delivered in HTML or XML.