LexisNexis’ and Choice Point’s networks, major companies that collect, store, analyze and sell demographic data, were recently compromised, and gangs of hackers stole close to 500,000 identities. These high-profile emergencies hit merchants like an unexpected rainstorm, leaving them scrambling for a way to comply with new worldwide standards for consumer data protection, referred to as PCI data security standards. These 12 standards attempt to enforce strict information security policies on merchants that include building and maintaining a secure network, protecting customer data and maintaining a vulnerability management program.
If hacker intrusions and account data compromises are the storm, then, says Edward P. Yakabovicz, information security officer for Bank One’s consumer Internet group, “information security should be based on a layering effect of technologies to provide an umbrella that mitigates risk and reduces threat.”
And to round out the metaphor, network security firm Qualys wants to step in as meteorologist, predicting and reporting danger and risks to information with its security solution, QualysGuard. Amrit Williams, research director at Gartner, states that QualysGuard’s strength comes from its promise of “vulnerability assessment scanning.” QualysGuard promises to provide merchants with a blueprint of potential threats to information security. It scans the network to “see what it is vulnerable against in a database of known vulnerabilities,” according to Williams, and prevents risks before they become destructive or lethal to an organization.
These security standards are especially important to credit card companies, which, like LexisNexis, store information such as social security numbers for millions of customers. Qualys reports that, “By June 30, 2005, MasterCard and Visa will require merchants processing more than 20,000 online transactions per year to complete a quarterly network scan and annual compliance questionnaire.”
MasterCard’s new partnership with Qualys hopes to solve the problem of PCI data security standards. Large distributed organizations that work with MasterCard must apply to the Vendor Compliance program by completing an online application that gives MasterCard an overview of the applying organization. MasterCard then controls and manages the assessment and evaluation process of the organization’s security policies. This evaluation “spans across a wide range of Web servers, firewalls and operating systems,” reports Qualys. Once an organization passes the vendor compliance application process and is ready to use QualysGuard, the system is automated and self-servicing, making it both economically and legally advantageous for MasterCard. It simplifies security management through the use of a real-time executive dashboard and Web-based risk reports.
Avivah Litan, a Gartner analyst, comments on this security trend, “The credit card industry’s security standards are converging, which will simplify the compliance process ... The more the process can be streamlined and automated, the easier it will be for everyone.” And the more security processes are standardized the easier it will be for merchants and organizations to comply.