Payment Card Industry (PCI) Data Security Standards
Executive Summary

Over the past few years, credit card companies have developed and maintained their own data security programs to protect cardholder data. Visa CISP, MasterCard SDP and American Express Data Security Operating Policy (DSOP) are examples of such programs. In December 2004, the Payment Card Industry (PCI) Data Security Standards - a comprehensive set of data security requirements - were adopted by all major credit card companies. These standards replace companies' individual programs and bring to the industry a consistent set of standards for data security.

The purpose of the PCI Data Security Standards is to ensure that all financial institutions, merchants, e-commerce companies, and their agents and service providers are employing basic security standards to protect and secure all credit cardholder data. More specifically, organizations are responsible for having the necessary security policy, systems and auditing infrastructure in place to protect and secure the strict privacy of credit card and customer data throughout the entire transaction process.

Protegrity delivers solutions for organizations looking for a comprehensive solution to accelerate compliance with the Payment Card Industry (PCI) Data Security Standards (FAQ).

There are three core elements to our solution:

(1) Services, delivered by certified Protegrity security consultants, to identify gaps, guide planning and install technologies to ensure compliance in the most efficient and timely manner.

Strategic Services - A group of professionals with extensive technology consulting experience that look beyond systems vulnerabilities to focus on meeting the PCI security procedural requirements. They analyze security processes, identify gaps with PCI requirements, prioritize areas to address based on risk and ROI, and implement changes.

(2) Protecting data at rest - is an encryption software product that provides organizations with a security solution that protects credit card information from all reasonable threats - internal and external.  With Defiance DPS, companies can meet PCI compliance by defining, monitoring, and managing security policies across the enterprise; by defining and monitoring levels of data access; and by protecting data from 'super user' access.  Defiance DPS is superior to other data encryption offerings based on these key criteria:

• Comprehensiveness -  Defiance DPS handles database and file encryption more efficiently than other available solutions. It provides the ability to  establish and manage centralized security policies, to protect and manage encryption keys, and to meet auditing requirements.
• Performance and Scalability - Defiance DPS has the fastest throughput in the industry.  Leveraging the power of the existing infrastructure, it utilizes the processing power of each server it protects.  It is multi-threaded and has load-balancing capabilities, maximizing the efficiency and scaling with the computing power available.  The result: your data is tightly protected with minimal impact on existing systems.
• Security to match your business needs - With Defiance DPS, you can focus security on only the most sensitive data, at the file, application or database level.
• Full Audit & Reporting- Defiance DPS gives your organization unmatched insight into who is accessing, or attempting to access, your most sensitive information.
• Enterprise-wide deployment -  Defiance DPS is the only solution available that gives your company centralized management of policies and market-leading support for all databases and operating systems (including mainframe systems).

(3) Application Security - With PCI 1.1, it is required that you protect your web application from application attacks, such as cross-site scripting or SQL Injections.  Protegrtiy's Defiance™ TMS is a web application security product that is specifically designed to protect web and web services applications that credit card processors use to collect and display customer credit card information.  In combination with Defiance DPS this is the most comprehensive application and database security offering specifically targeting PCI compliance requirements.  Defiance TMS exceeds the protection and performance of other web application security products based on the following criteria:

• Enterprise data protection and threat management - Defiance TMS provides protection for all major homegrown and packaged web applications, and works in complex network and application environments.
• Simple management interface - Defiance TMS delivers role-based administration, which is critical for maintaining the integrity of the credit card data, as well as operations dashboards and flexible management reporting to enable integration with enterprise security management (IBM, CA, etc.) and common reporting formats (Crystal Reports, SysLog, etc.).
• Intelligent Escalation of Threat Protection - Defiance TMS has a learning mode that is fully customizable by the administrator.  The increasing levels of protection are based on real-time threat policies.
• Multiple Modes of Threat Detection - Defiance TMS includes three detection modes, including Bypass, Passive and Active - which are customizable.
• Performance and scalability - Defiance TMS has patent pending application layer security technology which provides linear scalability behind industry standard load balancers.  This technology delivers optimal scalability and performance for enterprise applications.  Defiance TMS also delivers Monitoring that can also be deployed to provide security detection out of band with zero latency.