Century Payments selected Trustwave to provide its Level 4 merchants PCI DSS compliance validation solutions. Century engaged Trustwave to provide its merchants access to its “TrustKeeper” security and compliance web portal. Supporting merchants’ compliance efforts, including moving merchants through the complex compliance process with greater ease and efficiency by making the tasks achievable by non-technical users, “TrustKeeper” helps facilitate PCI DSS compliance validation for merchants or acquirers, ISOs and processors with large merchant populations. The “TrustKeeper” also helps merchants complete required vulnerability scans and receive their PCI DSS compliance certificate.
EVO Merchant Services selected Trustwave to provide PCI DSS compliance validation solutions to its Level 4 merchants. Trustwave is a leading provider of information security and compliance solutions. EVO Merchant Services engaged Trustwave to provide its merchants access to TrustKeeper, its security and compliance web portal. The web portal supports merchants’ compliance efforts, including moving merchants through the complex compliance process with greater ease and efficiency by making the tasks achievable by non-technical users to facilitate PCI DSS compliance validation for merchants or acquirers. It features PCI Wizard, which simplifies the complex PCI DSS compliance process.
Trustwave information security and compliance solutions, has significantly extended the breadth and value of its “Unified Threat Management” (UTM) solution with the addition of new services that provide critical network protection and address regulatory compliance requirements. Trustwave’s UTM now includes network access control (NAC), vulnerability scanning and log management features. Consolidating these services in a single platform allows Trustwave customers to reduce IT spending by meeting security objectives and compliance requirements with the same technology. Trustwave offers the UTM as a managed service, freeing up IT staff to focus on other critical activities and providing additional cost savings. It provides Fully Integrated NAC to detect unauthorized devices and network services for wired and wireless devices that connect to the network; Vulnerability Scanning to report on vulnerabilities for target devices on the network interior to enable proactive remediation, helping to minimize the risk of compromise; and Log Management to analyze aggregated log data for anomalies helping with early detection of malicious or unauthorized activity.
Trustwave information security and compliance solutions released its “Payment Card Trends and Risks for Small Merchants” supplement to its 2011 Global Security Report. The report highlights that approximately 90 percent of compromises occur in Level 4 merchant environments. While the risk to small business is clear, this population has been slow to validate compliance with the PCI DSS. The report demonstrates that for these reasons acquirers and ISOs are encouraged to implement PCI DSS compliance validation programs for their merchant populations. These institutions, often referred to as the program sponsors, help enforce compliance, mitigate risk and in turn, provide a tremendous security benefit for the merchant, as well as the greater population by helping to combat ever-evolving data security threats.
The American Bankers Association has extended its endorsement with Trustwave information security and compliance solutions. ABA’s endorsement of Trustwave DataControl offers ABA members access to a unique solution that integrates data leakage prevention with Smart TagTM encryption. Smart Tags contain encryption and protection policies that stay with data as it travels from device to device, so data is consistently protected at all times and wherever it goes. Trustwave “DataControl” discovers where sensitive data resides across the organization based on criteria set by the financial institution, and then protects the discovered data by encrypting it.
The American Bankers Association is further endorsing Trustwave information security and compliance solutions for data security to protect banks from abuse of proprietary and sensitive information. Addressing the risk by suspect employees or “insider” activity at banking institutions has focused on combating fraudulent behavior aimed at the financials of the bank and its customers, especially with the advent of blogs, social media and open Web forums. The Trustwave “DataControl” offers ABA members access to a unique solution that integrates data leakage prevention with “Smart Tag” encryption. The “Smart Tags” contain encryption and protection policies that stay with data as it travels from device to device, so data is consistently protected at all times and wherever it goes. Trustwave DataControl discovers where sensitive data resides across the organization based on criteria set by the financial institution, and then protects the discovered data by encrypting it.
Recurly subscription billing services has achieved PCI Level 1 secure service through Trustwave . Web, Mobile, SaaS and Publishing companies can now outsource their recurring billing management to Recurly without having to invest heavily in their own infrastructure to ensure their customers the highest standard of excellence for payment data security. Trustwave validated compliance with PCI-DSS for service providers. The Level 1 requirement applies to any provider who stores, processes or transmits more than 300,000 transactions annually.
Trustwave information security and compliance solutions has upgraded its “WebDefend” Web Application Firewall. A Web application firewall (WAF) is a technology that provides protection for Web applications (such as an e-commerce site) against cyber attacks. Trustwave WebDefend provides Web applications with real-time, continuous security against attacks and data loss, ensures Websites operate as intended and help businesses comply with PCI-DSS. It protects Web applications from attacks that could disrupt business and compromise sensitive data. The “WebDefend” solution can be purchased as a stand-alone product, or as a component of Trustwave’s 360 Application Security program, which combines Secure Code Training, Application Penetration Testing, Code Review and Trustwave WebDefend with Virtual Patching into a holistic application security program.
Trustwave, the leading provider of payment card industry compliance solutions, announces its support of the updated Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), both Version 2.0, released by the Payment Card Industry Security Standards Council (PCI SSC), October 28, 2010. The new version includes existing requirement clarifications, provides additional guidance and reveals minor changes to evolving requirements.
âAfter a thorough review of both the PCI DSS and PA DSS, we noted there were no significant changes that would adversely affect our compliant customers or customers in process to become compliant,â said Robert J. McCullen, chairman and CEO of Trustwave. âWe stand behind the decisions made by the Council and believe this new version will help further secure payment data.â
The changes to the standards include better alignment between the PA DSS and PCI DSS. In addition, changes to the Self-assessment Questionnaire will better align with the changes to the PCI DSS, and bulleted lists will be broken out into sub-requirements.
After reviewing the updates to both standards, Trustwave believes the following changes are most important to address:
PCI DSS Version 2.0
â¢Scoping the Cardholder Data Environment (CDE): The PCI SSC clarified the responsibility of the assessed organizationâs accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS Scope.
â¢Additional Sources for Secure Coding for Non-Web Based Applications: The PCI SSC clarified that additional sources like SANS CWE Top 25 and CERT Secure Coding, in addition to OWASP, can be used for best practices guidance for vulnerability management.
PA DSS Version 2.0
â¢Facilitate Centralized Logging: Pertaining to requirement 4.4, the new version will mandate that payment applications facilitate a merchantâs ability to assimilate logs into their centralized log server.
â¢Cryptographic Clarification: Pertaining to requirement 2.7, cryptographic key material stored by previous versions will now be rendered irretrievable.
â¢Merger of Requirements 10 and 11: This will help further align the PCI DSS and PA DSS.
âBased on our investigations, these changes align with the problems encountered by our customers,â said Nicholas J. Percoco, senior vice president and head of SpiderLabs, Trustwaveâs advanced security team. âCentralizing logging will help organizations more efficiently investigate an anomaly that may be an indication of a cardholder data breach or an attempt.â
âWe are pleased to see the changes focused on alignment of PCI and PA DSS as well as the elimination of redundant requirements,â said James Paul, senior vice president of delivery at Trustwave. âThe changes will help clarify the relationships and demarcation between PCI and PA DSS assessments.â
To learn more about these and other key changes and how they might affect a merchant, Trustwave has archived its recent webinar, âPCI DSS 2.0: What Can You Expect?â and posted it here for review, on-demand.
The changes to both standards take effect January 1, 2011. The sunset date for the existing standards is December 31, 2011. Any organization submitting a Report on Compliance or Report of Validation after December 31, 2011 will have to comply with the Version 2.0 standards.
For more information about the PCI DSS and PA DSS, please visit www.pcisecuritystandards.org.
Trustwave’s advanced security team, known as “SpiderLabs,” responsible for application security, incident response, penetration testing, physical security and security research are set to deliver presentation on said topics. David Bryan will deliver “Pentesting for Fun…and Profit” to explore real world penetration testing methodologies, tools and techniques and how the service has evolved over the past few years and “Making a Sandbox for 10,000 Hackers” to explore ways to build a secure network infrastructure using enterprise-class hardware while on a tight budget. Meanwhile, Nathan Drier will present “Intro to Packet Capture Analysis” for decoding the languages that computers use to speak to each other; Rob Havelt will deliver “Exploiting a PCI Compliant Network: A How-to Guide” to explore the inaccurate perception that compliance with the PCI DSS automatically ensures an organization’s security; Eric Monti will deliver “iPhone Rootkit? There’s an App for That” to address the tools and techniques for developing rootkits on the iPhone; and Rodrigo Montoro will present “Scoring PDF Structure to Detect Malicious Files” to explore the recent surge in PDF malware attacks.
Trustwave security and compliance solutions experts are set to deliver
multiple briefings at “Black Hat 2010” in Las Vegas, July 28 through 29.
Delivered by members of “SpiderLabs” security team at Trustwave
responsible for incident response and forensics, penetration testing and
application security, and security research. David Byrne and Charles
Henderson will deliver “GWT Security: Donât Get Distracted by Bright
Shiny Objects,” which will look at common vulnerabilities in Googleâs
Web Toolkit (GWT). Nicholas Percoco and Jibran Ilyas will present
“Malware Freak Show 2010,” which will expand upon their initial Malware
Freak Show presentation delivered at DEFCON 17. Steve Ocepek and Charles
Henderson will deliver “Need a Hug? Iâm Secure,” which will look at the
ways manual penetration testing can help an organization protect their
environment from 0-day attacks, as well as more common vulnerabilities
like SQL injection and cross-site scripting (XSS).
Trustwave information security and compliance solutions is set to implement its end-to-end encryption solution for the payment card industry. Persistently encrypting this data renders it unreadable to unauthorized third parties, such as hackers, who try to steal sensitive information, offering another layer of defense against hackers or any unauthorized third party. Implementing end-to-end encryption helps merchants reduce the scope of their PCI DSS compliance validation process. While merchants are required to validate compliance, if cardholder data is encrypted, the applicability of the PCI DSS review to their business is greatly narrowed. This helps reduce merchantsâ compliance costs and significantly lowers the risk of a card compromise. Many industry experts agree that this approach â end-to-end encryption â is the future of credit card security.