NEWS: QualysGuard PCI 5.0 for pre-test PCI testing
You know when your car needs an MOT test, but you’re not quite sure that it will pass first time? You have a choice, don’t you. You could take it straight to the test centre, pay for the test, then take it away to fix the problems or leave it there to have them fixed and potentially have to start the test process again… Or you can take it to a friend who knows his stuff; have him look at it and tell you what needs to be done to pass the test. The latter option is invariably cheaper and less intrusive than the former – if you’ve got a suitable friend who will do the work economically.
Well, the new QualysGuard PCI 5.0 is a bit like the economical friend who can offer you the latter option. The idea is that you buy the product and it will tell you what you need to do get your systems through their MOT test (in this case, more usually known as PCI DSS validation). MOT and PCI are quite similar. If you want to drive your car on public roads (rather than up and down your private drive), you need a valid MOT Certificate. And if you want to process payment cards (rather than simply accept cash or a cheque), then you need PCI DSS certification. Each one is necessary if you either wish to remain within the law, or to continue to process card payments: the main difference is that PCI DSS certification is far more complex and potentially expensive than MOT testing.
Where QualysGuard PCI really begins to win over your mechanic friend is when you have multiple IP addresses to to certify. If you have multiple cars, you’ll need to pay your friend for each one: but with a suitable QualysGuard licence you won’t get the same linear increase in cost for PCI compliance.
New QualysGuard PCI 5.0 features include:
- Dashboard Homepage. The new home page is a starting hub for all the important workflows like asset wizard, SAQ wizard or starting a scan. It instantly provides users with the status of compliance, including percentage of hosts that pass and counts of high, medium and low vulnerabilities.
- Asset Scoping Wizard. A new workflow has been added to walk customers through the process of identifying IPs and domains that are in scope for PCI compliance.
- Compliance Wizard. Customers are required to work with ASVs to confirm on a quarterly basis that reports adhere to PCI DSS requirements for scoping, false positive documentation and scan completeness. The new compliance wizard helps customers through each step of the process in an informative manner, presenting what the user needs to complete to generate the compliance report, including special notes, the consolidated action plan and filling out the mandatory merchant attestation.
- Interactive Reports. The ASV scan report now includes a new format with additional content, revised scoring terminology (High, Medium and Low), and sections for attestations. The report is fully interactive as it highlights confirmed and potential vulnerabilities, with sliding panels for detailed information and quick filters to search and sort on various criteria instantly.
- False Positives Reporting. Approved false positives must be re-validated by the ASVs on a quarterly basis. New workflows now provide an easy-to-use interface to identify these false positives and resubmit them for approval every 90 days.
With the growing number of financial transactions on the Internet and increasing attempts to steal credit card data, achieving PCI DSS compliance has become vital to ensure the protection of credit card data. However, it can be a challenging task as the PCI Standards Security Council continues to add new requirements to address the new attacks. This new release raises the bar in terms of ease of use and interactivity while fully supporting the new PCI DSS requirements.
Philippe Courtot, chairman and CEO, Qualys