RSA expands PCI compliance portfolio

Source: RSA

RSA, The Security Division of EMC (NYSE: EMC), today announced its expanded Payment Card Industry Data Security Standard (PCI DSS) Solution portfolio, a suite of products and services that help enable customers to answer the most challenging IT security technology challenges associated with the PCI DSS.

As part of the RSA PCI Solution, RSA also announced a new blueprint for promoting compliance by discovering data and infrastructure, assessing risk, enacting remediation and ensuring sustained controls.

The RSA PCI Solution portfolio is engineered to help enable customers to discover and manage credit card information effectively; secure that data, as well as access to the data and related technology systems; and help streamline compliance to PCI DSS, as well as other regulatory mandates. The RSA PCI Solution portfolio and blueprint aim to help customers move from a reactive to proactive stance in order to build sustainable programs to address compliance and improve enterprise-wide IT security.

As part of this initiative, RSA is also announcing strategic alliances with two leading suppliers of vulnerability scanning solutions, nCircle Network Security and Qualys, Inc. These alliances enable RSA customers to accelerate their business objectives by giving them a solution to help them conduct quarterly external vulnerability scans, a core requirement of the PCI DSS. In addition, using nCircle and Qualys solutions with RSA enVision(TM) security information & event management technology helps customers gain faster and more accurate visibility into security threats, improving the business' ability to respond and helping to address a key expectation associated with the PCI standard. RSA has also unveiled the RSA PCI Resource Center to provide educational tools and content associated with the PCI standard.

"Companies handling consumer credit card data now face unprecedented levels of accountability for securing that information. The challenges are enormous - companies must understand where card data resides throughout an often-distributed enterprise, and ensure this data, and access to the information, is secure. Companies must also prove that they've taken the precautions outlined in the standard, and that they're actively monitoring for unauthorized access," saaid Jim Melvin, vice president, Marketing at RSA, The Security Division of EMC. "As a leading vendor focused on helping customers to intelligently manage their information, and securing that information wherever it resides and throughout the entire data lifecycle, the RSA PCI Solution is engineered to help enable customers to achieve and maintain their PCI compliance, and to leverage their investments to protect all of the organization's vital customer, partner and business information."

About the RSA PCI Solution

The PCI DSS is a framework of best practice requirements for all organizations that collect, process or store credit card account and transaction information. Created by the major payment card brands, the standard is designed to protect credit card data throughout the information lifecycle. To help address the requirements, the RSA PCI Solution encompasses a range of IT security technologies and services that answer key customer questions:
  • Where is all of my company's credit card data, and how do I manage that information?
  • How do I ensure that data is secure?
  • How do I streamline compliance and position my business for growth - rather than react to audits?

Key Details

The RSA PCI Solution is based on a six-phase blueprint for helping to achieve and maintain compliance, which begins with discovering data and infrastructure, and extends through the process of ensuring sustainable controls. Each phase also maps to one of three key pain points customers face when addressing PCI compliance: data discovery and management; data security; and streamlined compliance. This blueprint not only helps companies address PCI DSS compliance, but supports broader compliance initiatives by delivering a consistent model for managing the audit cycle.

Credit Card Data Discovery and Management

The PCI DSS uncovers what is essentially an information management challenge. Companies are unable to secure information, often because they cannot find or manage it. The RSA PCI Solution is designed to enable organizations to take a policy-based approach to discovering and classifying information, and offerings to support these efforts include:
  • PCI DSS Pre-Assessment & Gap Analysis professional services offerings that help customers understand their current PCI posture and develop a remediation roadmap prior to undergoing a formal PCI audit.
  • Credit Card Data Discovery & Classification professional services offerings that helps customers understand where cardholder data exists across the organization, using a range of data and application discovery tools.
  • EMC Infoscape, an enterprise information risk management solution, helps customers identify credit card data stored in unstructured formats, such as PDF and Excel files. EMC Infoscape discovers files in file shares and classifies them based on both content and file attributes. It can open files and look for keywords and patterns suggesting credit card information and manage these files based on user defined policies.

Securing Credit Card Data

To comply with the PCI DSS, customers need to ensure that credit card data is secure wherever it resides across the enterprise, ensure that only users with authorization can access cardholder data systems and guarantee that users accessing the card data are who they claim to be. RSA's PCI blueprint outlines where remediation efforts may fall in the audit process, and RSA delivers solutions that are engineered to resolve and protect against known risks, while implementing controls to protect against further risk:

Products and Solutions
  • RSA Access Manager software is engineered to provide the ability to control access to Web-based resources and enforce centralized user policies across the organization
  • RSA Database Security Manager is built to enable customers to encrypt information at the database level
  • RSA File Security Manager is designed to offer customers the ability to protect credit card data maintained in files on desktops, laptops and servers against internal and external attacks
  • RSA Key Manager is engineered to be an enterprise-wide key management offering that helps organizations to manage encryption keys generated by disparate enterprise applications, and allows corporate software developers to integrate security easily into their applications based on established security policies
  • RSA SecurID two-factor authentication technology is built to provide a proven means of ensuring the identity of users accessing critical resources, including cardholder data
  • EMC Physical Security Solution is designed to be an integrated offering of hardware, software and services that helps enable customers to manage, analyze, archive and scale their physical security and video surveillance information throughout its lifecycle, helping customers monitor the security of physical premises where cardholder data is stored
  • Strategic Partnerships for Enterprise Data Protection - CipherOptics, Decru and NeoScale Systems: Through strategic partnerships with Decru and NeoScale Systems, RSA offers encryption capabilities for disk storage and tape systems. In addition, a strategic partnership with CipherOptics enables RSA to deliver transparent security for data in transit across any Layer 2 or Layer 3 network

  • Application Security Design Assessment Service is designed to provide a quick and accurate diagnosis of the current state of application security
  • EMC Certified Data Erasure Services is designed to use proprietary techniques and industry tools to overwrite storage media to specified levels of erasure
  • Design and Implementation for Storage Encryption service helps customers determine appropriate disk or storage encryption solutions, and integrates them into customer environments
  • Information Security Policy professional service offerings help customers evaluate and develop policies and processes for developing and improving their information security programs

Streamlining Compliance and Ensuring Sustained Controls

RSA's blueprint helps companies establish processes and technology for executing an on-going security and compliance program. In support of this, RSA's solution for compliance and security information management - the RSA enVision solution - is engineered to provide an enterprise-wide platform for collecting, correlating and analyzing security and compliance information across the organization, and supports efforts to track and monitor access to network resources and cardholder data. EMC Centera(TM) and EMC Celerra networked storage platforms integrate with RSA enVision technology and provide customers with the ability to store their critical information to help meet PCI DSS compliance requirements. In addition, RSA enVision technology assists customers with the ability to move valuable resources towards business- enablement initiatives, rather than simply responding to audits. The Design and Implementation for Security Information Management professional service helps customers deploy the solution quickly.

Successful compliance initiatives pay close attention to such concerns as IT governance, frequent communications with IT and business stakeholders, and careful management against budgets and timelines. RSA Professional Services can help with Program Management and Quality Assurance professional services to design, mobilize and staff a program management office to ensure timely and smooth implementation of recommended technology and process improvements for all phases of the compliance program, from initial conception to final completion.

Customer Success

Cyberklix, a Managed Security Solutions Provider (MSSP) based in Mississauga, Ontario, Canada, built part of its managed security service offering around compliance alerting and reporting around RSA enVision technology.

"For our retail customers, we provide periodic PCI compliance reports based on built-in reports developed by RSA," said Trevor McDermott, vice president of Sales and Marketing, Cyberklix. "The RSA enVision solution provides us with a significant business advantage because we can capture all the data needed to promote PCI compliance reporting without the need to deploy agents and without impacting the performance of applications."

About RSA's New Strategic Alliances

RSA entered into joint-marketing agreements with Redwood Shores, Calif.- based Qualys, Inc. and San Francisco-based nCircle Network Security, leading providers of vulnerability scanning solutions. Quarterly vulnerability scans are a core requirement of PCI, and a key objective of PCI is to ensure that organizations have visibility into potential data breaches that may be occurring. By using RSA enVision technology with leading vulnerability scanning solutions, organizations can have the ability to correlate vulnerability alerts generated by the vulnerability scanner with alerts generated by other network and security devices, giving customers greater visibility into their enterprises, helping them to respond quicker.

PCI also requires that companies maintain audit records. Solutions from nCircle and Qualys can conduct the vulnerability scans, while the RSA enVision solution is engineered to maintain the records for proving compliance.

"QualysGuard PCI on demand and RSA enVision solutions now enable organizations to more effectively establish PCI compliance and to adhere to vulnerability management best practices," said Philippe Courtot, CEO and chairman of Qualys.

"We are very excited to be collaborating with RSA to extend their RSA PCI Solution portfolio with nCircle's market-leading agentless security risk and compliance management solutions," said Stefan Petry, vice president of Product Management at nCircle. "The nCircle Certified PCI Scan Service, one of the first to be certified on the enhanced PCI Data Security Standard v1.1, delivers a fully automated, network profiling service that enables merchants to efficiently and cost-effectively verify PCI compliance on a quarterly basis."

About the RSA PCI Resource Center

As part of its PCI Solutions launch, RSA is also introducing the RSA PCI Resource Center. This online portal includes four new white papers on the PCI Standard, a new monthly PCI podcast series, RSA PCI research, and a five-part Webcast series focused on the PCI Standard. In addition, the site includes links to key resources that will help banks, merchants and payment processors to better understand the PCI DSS and its many implications.

Comments: (0)