FFIEC News

Fortify's PCI Solution to Help Merchants Pass Compliance Audits in Advance of Dec. 31 Deadline

(Oct 17, 2007)-- Fortify Software announced its Payment Card Industry (PCI) Solution -- a bundle of Fortify's award-winning products and services designed to help retailers meet PCI requirements -- provides merchants the means to become compliant with the PCI Data Security Standard (DSS) prior to an upcoming Dec. 31 deadline. Fortify, which has grown its compliance practice by more than 500 percent over the past two years, has a customer list that includes two of the top four online retailers in the United States.

Despite the growth in Fortify's PCI practice, the majority of retailers, and other businesses that process credit card transactions, have been slow to adopt true application layer defenses. Many Level 1 merchants were not in compliance with the Standard when their recent Sept. 30 deadline passed, and a large percentage of Level 2 merchants will be scrambling over the next few months in an effort to pass audits before their Dec. 31 deadline.

"We have been fielding many questions from entities who are trying to achieve PCI compliance; requirement 6, to 'Develop and maintain secure systems and applications,' is one area where customers are confused about how to comply," stated Diana Kelley, a vice president and senior analyst for the Burton Group. "Securing and protecting applications that manage cardholder data is a critical piece of the cardholder data protection puzzle. Tools such as source code analysis and application layer firewalls can help entities control risk of cardholder data loss and also help them meet the Section 6 compliance requirements."

PCI auditors across the nation have reported that application security is one of the most commonly failed areas of the PCI DSS, and statistics from respected industry analyst firms that supported this claim were part of the reason credit card companies put application security requirements into the DSS and recommended source code analyzers and application firewalls as solutions.

"With a majority of attacks now directed at the application layer, the prospect of so many vendors being non-compliant is frightening," said Brian Chess, Fortify's founder and Chief Scientist. "Our customers tell us that Section 6 is one of the top reasons for failing a PCI audit, and they look to us for help in making it over the bar when it comes to code review, high fidelity testing and defect mitigation. But beyond compliance, businesses should keep the end goal in mind: creating systems their customers can trust. Fortify's PCI Solution meets regulatory requirements and reduces overall security risk."

Fortify's PCI solution specifically focuses on the two sections of the DSS that detail application security requirements: Section 6, regarding developing and maintaining secure applications, and Section 3, regarding protecting and storing data. The PCI Solution, which consists of Fortify(R) SCA, a source code analyzer that eliminates vulnerabilities in an application's code base; Fortify(R) Defender, an application-layer firewall; and Fortify's Professional Services, offers an immediate solution to secure sensitive data now, as well as a long-term strategy to ensure new applications are developed securely. This bundle of award-winning software and services enables retailers to:

-- Secure Applications Now -- Fortify Defender is a contextual Web-application firewall that protects and monitors Web applications from the inside. This unique approach offers critical insight into attacks and addresses PCI standards for an application-layer firewall. Section 6.6 of the PCI DSS currently recommends as a best practice the use of an application layer firewall or a professional code review. All merchants and service providers that store, process or transmit cardholder data must comply with these standards when it becomes a requirement. Fortify offers the most effective, accurate and easy-to- use solution for fulfilling this PCI standard, as it not only addresses PCI, but also additional key software security compliance requirements, such as FISMA and HIPAA. -- Secure Applications Before They are Deployed -- Fortify SCA is the world's most proven and widely used source code analyzer. Its advanced features enable security professionals to review more code and prioritize issues in less time, while helping development teams identify and fix issues early and with less effort. Fortify SCA supports a wide variety of languages, frameworks and operating systems, and delivers depth and accuracy in its results. It can be tuned to be comprehensive when completeness is needed or extremely targeted for day-to-day use in development. It makes triage, full- scale audits and remediation fast and effective.

Share or bookmarklet this web page at: