Tim Pickard, VP of international marketing for RSA in EMEA, said the Bedford, Massachusetts-based division of EMC has already been in the PCI market with some of its products. [However], now the teeth are starting to bite in terms of penalties becoming imminent for failure to comply, he said.
Acquiring banks face fines if merchants are found to be out of compliance, so part of the pressure on merchants comes from them. For Level-1 merchants that carry out over 6 million transactions a year via credit cards, the deadline for compliance is September 30 in the UK, with Level 2 coming at the end of the year. Then there are the consumers themselves, who need confidence in their merchants in the wake of things like the TJX data theft case, Pickard said.
RSA has put together a portfolio for a more end-to-end service-cum-product offering, including relationships with two vulnerability-scanning service providers, nCircle and Qualys.
We can start with pre-assessment, which is a professional services engagement to determine the degree of compliance before a Qualified Security Auditor carries out an audit, said Pickard. We’ll then work with both the customer and the QSA to bring them up to compliance, addressing issues such as the ‘data sprawl’ where a company has data distributed about their organization and so needs it classified before deploying infrastructure to comply with the PCI requirement.
We use a tool from EMC called InfoScape to find credit card details in both structured stores, such as an Oracle database, and unstructured ones, like a spreadsheet or Word document, said Richard Nichols, business development director for RSA in EMEA.
Pickard added: The next phase is to look at the 12 requirements within the PCI DSS, which include things like encryption and key management for protection of stored data, and map them to the customer’s current situation, with a view to their becoming compliant.
Some of the requirements, such as proper firewalling and patch management infrastructure, are outside RSA’s own remit, though its PS staff will help to meet them. But when it comes to authentication, encryption, and key management for role-based access, this clearly falls into its bailiwick. EMC also has its video surveillance data capture and management offering for controlling physical access, Pickard said.
Pickard said the networking monitoring for vulnerabilities is where Qualys and nCircle come in. Compliance with PCI requires a quarterly scan and they provide the mechanism to carry it out, he said. RSA will also use the enVision product from last September’s acquisition of Network Intelligence to carry out security information and event management.