PCI Compliance in the Cloud with Qualys

Qualys expands its on-demand PCI compliance offering with new scanning and reporting abilities.

Qualys' in-the-cloud strategy for helping businesses face compliance requirements took a new turn this week with QualysGuard PCI 2.0 and its new network scanning and reporting capabilities.

With the new global scanning functionality, merchants can segment their network by business units and scan a select number of hosts at any given time or simultaneously, reducing the amount of time it takes a large organization to scan its network. When every segment of the network has passed the scan, users can create a single report to send to credit card issuers and acquiring banks.

"We look basically for any type of form or vulnerability or misconfiguration that can lead to an exposure or a hack," said Amer Deeba, vice president of product marketing at the Redwood Shores, Calif., company. "So it can be application-level vulnerabilities, system vulnerabilities, network-level vulnerabilities, Web browser type of vulnerabilities."


Confusion reigns among retailers over the details of PCI compliance. Read why.

According to a report from Visa issued on Oct. 24, 65 percent of the nation's largest retailers are compliant with the PCI (Payment Card Industry) Data Security Standard. That number is an increase of 81 percent from December 2006 and 63 percent since July. But the statistic is hardly a cause for celebration—it means 35 percent of large retailers were still out of step with the requirements a month after the Sept. 30 deadline. The challenges of achieving compliance have given birth to countless numbers of tools from vendors looking to address security and auditing concerns posed by the standard.


"The way we differentiate ourselves really is our model; everything is delivered over the Internet as an application software as a service," Deeba said. "You get an account, you log on, and you have full access and full capability to do the entire PCI process."

In the latest version of its service, which the company announced Dec. 17, Qualys allows merchants to get quick access to the latest compliance summary of their entire PCI-scoped network and run reports with specific, advanced search criteria, including host name, IP address and vulnerability severity. Version 2.0 also provides multiple questionnaires to be generated for separate business units that can be submitted to up to five different acquiring banks at any one time.

QualysGuard PCI 2.0 is available now for an annual subscription starting at $495.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.