For merchants and financial institutions, figuring out how to comply with Payment Card Industry Data Security Standard requirements can be a real guessing game.
Network change and configuration management provider Voyence on Sept. 17 hopes to take the guesswork out of PCI compliance for network operators with its new VoyenceControl PCI Advisor.
Because the PCI standard gives general guidelines on how to protect customer account data at various points during the payment process, rather than explicit instructions on compliance, its up to network operators to interpret how to apply the standard to their network.
"There are 12 different areas of the PCI mandate. Ten are related to the network," said Darren Orzechowski, vice president of worldwide marketing for the Richardson, Texas, company.
PCI Advisor, the first product in the planned Compliance Advisory Series, takes advantage of VoyenceControls central repository of network equipment configuration data that tracks changes as they are made. The repository includes a built-in compliance engine.
Read more here about VoyenceControl.
Embedded in the tool are the actual PCI DSS mandates, which are mapped to relevant network security data. The tool also links associated policies, their definitions and results.
The PCI Advisor, which is built on top of VoyenceControl, provides, for example, a sample of how to write and apply an access control list for a network device that is compliant with the standard. "[Users] can take our templates, fill in their own variables for their network and add it. Now they have compliance," said Matt Clark, director of reporting at Voyence.
To help network engineers maintain compliance with the PCI standard on a day-to-day basis, Voyence built in dashboards and reporting specific to PCI to see what changes have happened and whether and where those changes introduced compliance problems.
"One thing that PCI is big on is that process has to be written down; the auditor needs to see that and evidence that youre following that process. They want to see as youre doing changes on a daily basis that youre following PCI-compliant processes, and they want documented evidence of that," said Clark.
Toward that end VoyenceControl PCI Advisor provides an audit trail of the change control process. "As they go through the quarterly review they can see who submitted a change job, who approved it, when it was approved and so on," added Clark. It includes check boxes and time stamps for those quarterly reviews.
But perhaps the biggest time and cost savings element of the PCI Advisor is the Auditors Report, which supplies documentation to the auditor on compliance policies, processes and results.
"It cuts down the time dramatically that it takes an organization to go out and collect the information to prove they are meeting the requirements. With the Voyence tool its all right there in front of me," said auditor Barry Johnson, director of risk mitigation at IGX Global, an information security firm in Rocky Hill, Conn.
Without the Voyence tool, Johnson said he has "had to go to as many as 15 different tools or areas to pull that information together. If all the information is there, then potentially they arent paying for me to be there as long."
The PCI Auditor Reports walk the auditor "through the processes, what compliance policies are in place down to the actual line [and] what the actual configurations are on the network devices, and they include reports showing on specific dates what the compliance status of the network was," said Clark.
"It spells out which requirements youre meeting and it shows a history so you can [be sure] that youre continuing your compliance efforts during the year. As an auditor, thats something I like to see," echoed Johnson.
Voyence also plans to add additional products to the Compliance Advisory Series that focus on such regulations as the Sarbanes-Oxley Act and HIPAA (Health Insurance Portability and Accountability Act).
The VoyenceControl PCI Advisor is due in November and will start at $30,000.
Check out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.