Qualys Extension to Its PCI Compliance Set to Help SMBs | eWeek

Qualys Extension to Its PCI Compliance Set to Help SMBs

Écrit par
Andrew Garcia
Andrew Garcia
Apr 27, 2009
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

This month at the RSA show in San Francisco, intrusion prevention vendor Qualys announced an extension to its PCI Compliance solution called PCI Connect. The announcement of the extension–which should be available in the July timeframe–essentially boiled down to an inter-vendor effort to integrate communications among vulnerability assessment and remediation products. However, smaller retailers may soon reap the benefits of the initiative with the newfound ability to build complete documents proving their compliance with the most recent PCI specification–provided the retailers enlist the right products and services to cull the data.

There are numerous products available today that provide data to help retailers track their PCI compliance, but, typically, these products look at only part of the PCI puzzle. The latest draft of the PCI specification (version 1.2), released in October 2008, mandates that merchants verify their security across multiple platforms and networks. This means merchants must demonstrate their security wherever privileged card data may traverse–be it across routers, wireless LANs, servers or desktops. For those merchants trying to prove compliance without the aid of an auditor or consultant, it is up to IT staff or business personnel to compile the requisite data from each utilized security tool to document the security measures taken as well as the resultant findings.

For instance, when I reviewed AirTight’s SpectraGuard Online wireless intrusion prevention service, I found that the service could generate reports tailored for the particulars of various regulations, including PCI. These reports identified findings in possible conflict with the letter of the regulation (such as unauthorized client connections or weak encryption implementations), and administrators could schedule the reports to be generated periodically and delivered in HTML or XML.

Qualys’ QualysGuard PCI Compliance solutions, which were launched a couple years ago, aimed to let merchants perform external scans of their own networks, supplementing that data with access to online self-assessment questionnaires that the specification requires merchants to complete every 12 months. Qualys determined that many Tier 2 through Tier 4 merchants used these assessments to answer questions about parts of the network QualysGuard could not scan. According to Qualys officials, this scenario doesn’t apply to larger, Tier 1 merchants, which would likely enlist outside auditors to conduct their compliance assessments.

As a result of these findings, Qualys created PCI Connect–an API and open XML-based report format to which other vendors like AirTight can output data. So, for instance, a merchant could utilize AirTight’s SpectraGuard Online to perform the requisite quarterly wireless scans and the data would be consolidated with Qualys’s own data directly into the yearly self-assessment questionnaire.

In addition to AirTight, Qualys has partnered with several other security vendor. PCI Connect partners include penetration testing vendor Core Security Technologies, Web application firewall vendor Imperva, log management and IT troubleshooting vendor Splunk, security risk management company Red Seal, and physical and virtual machine intrusion prevention vendor Third Brigade.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.