Two to Help Achieve PCI 6.6

Achieving Dynamic Vulnerability Assessment, Detection and Remediation for Compliance with PCI Requirement 6.6

Version 2.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) went into effect January 1, 2011, but validation against the previous version of the standard (1.2.1) was allowed until December 31, 2011. As of January 1, 2012, all assessments must be completed under version 2.0 of the standards.

The PCI DSS, mandated by Visa, MasterCard and other card issuers, requires “all merchants with internal systems that store, process or transmit cardholder data“ to comply with 12 key data protection measures and submit to security audits. Under the rules, companies must protect cardholder transaction data through logical and physical access controls, activity monitoring and logging, encryption and regular network scans. Companies could face penalties of up to $500,000 for breaching customer credit card information.

Version 2.0 did not introduce any new major requirements. The majority of changes were modifications to the language that clarify the meaning of the requirements and make understanding and adoption easier for merchants. Nonetheless, the official transition to Version 2.0 provides a good opportunity for organizations to study the standards and ensure that they are meeting all of the requirements.

“Although the emphasis is on data security, PCI DSS encompasses a broad security framework that supports data protection,” said Rob Edinger, CISSP & MSIA, Milestone Systems. “For example, Requirement 6 mandates that merchants ’develop and maintain secure systems and applications.’ Milestone, through its partnerships with F5 and WhiteHat, can help customers meet that mandate cost-effectively.”

Achieving PCI 6.6 Compliance

“Milestone takes advantage of F5’s open iControl API to provide the integration between F5 ASM and WhiteHat Sentinel,” Edinger said. “The combination is an extremely accurate and efficient solution that delivers rapid identification and immediate repair of website vulnerabilities.”

The integration of the two products yields a powerful and efficient solution that provides organizations with a new means of combating the onslaught of website attacks that place data, both customer and corporate, at risk.

The solution combining F5 and WhiteHat also fully meets PCI DSS Requirement 6.6. According to the standard, an organization must, “for public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes,
• Installing a web-application firewall in front of public-facing web-facing applications.”

“The integration of F5 BIG-IP ASM and WhiteHat Sentinel enables customers to achieve both requirements in just one step,” said Edinger. “It’s also cost-effective. Existing customers of both F5 and WhiteHat can leverage their investments with the added security and automation of the combined solution.”

Better Together

F5 ASM provides proactive network and application-layer protection from generalized and targeted attacks by understanding the user interaction with the application. WhiteHat Sentinel is a web-based subscription service that combines advanced proprietary scanning technology with expert analysis, enabling customers to identify, prioritize, manage and remediate website vulnerabilities as they occur. Through the F5 iControl API, WhiteHat Sentinel can directly configure policies on F5’s ASM to protect against vulnerability exploits such as cross-site scripting and SQL injection found during the scanning process.

Customers benefit through:

• Increased protection via WhiteHat Sentinel’s rapid identification of web application vulnerabilities, with minimal false positives;
• Highly targeted vulnerability remediation (virtual patching) via F5 ASM;
• Simplified management: Data is continuously filtered and validated to provide only actionable results; and,
• Ease of operation: A simple interface with one-click remediation

“WhiteHat augments F5 ASM, creating a more comprehensive website security solution using trusted data and analysis,” Edinger said. “The F5-WhiteHat integration also simplifies and speeds vulnerability remediation by finding problems and then fixing them through ‘virtual patching.’ Developers gain more time to fix code without leaving applications exposed. They can mitigate the most pressing risks with confidence and address the root issues as time and budgets allow.”

Customers who have both F5 ASM with an active maintenance contract and subscribe to the WhiteHat Sentinel service receive integration automatically. F5 ASM customers will need to subscribe to the Sentinel Service. All WhiteHat customers have access to F5 ASM integration capabilities in both Sentinel SE and PE but will need to purchase an F5 ASM to take advantage of the integration. To learn more, contact your Milestone representative.