IBM Announces Industry’s First End-to-End Solution for PCI Compliance

New Five-Phase Program Designed to Help Customers Meet All 12 PCI Requirements



ARMONK, NY .-IBM (NYSE: IBM) today announced a new program that provides products and services to help customers achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS). Unlike competitive offerings, the comprehensive program is designed to take companies through the entire PCI compliance process, from assessment to compliance to certification, helping them meet all 12 PCI requirements for safeguarding customer payment card data.

PCI is a global standard that applies to any company that processes, transmits or stores credit card information. The standard was created by credit card companies to help organizations prevent security breaches. Any company that processes credit card data today could be threatened by cyber-crime attacks, resulting in customer identity theft. Those companies that do not achieve PCI compliance could have their ability to process credit cards revoked, or could face increased processing costs. Given the far-reaching impacts security threats can have on organizations, non-compliant companies risk significant financial and customer losses and damaging effects on brand reputation.

Hughes, the world’s leading provider of broadband satellite networks and services, selected IBM to take its HughesNet® broadband network service through the PCI compliance process.

“As a leading managed services provider to major enterprises, Hughes strives to provide a wide range of services and applications to our customers,” said Mike Cook, senior vice president, Hughes. “PCI DSS compliance is critical to our customers’ operations, and it is imperative that the network services we provide meet those requirements. IBM’s comprehensive program took us successfully through the entire process, from assessment through to certification.”

Despite the threats of fines and a recent rash of high-profile data breaches, the rate of PCI compliance is estimated to be less than 50 percent. In fact, according to a report by industry analyst firm Gartner, Inc., Visa USA indicates that, as of July 2007, 39 percent of level-one merchants (defined as those that process more than 6 million transactions annually) and 33 percent of level-two merchants (defined as those that process between 1 million and 6 million transactions annually) are compliant with the PCI Data Security Standard.(1)

“As many merchants have learned in recent years, meeting some or even most of the mandated PCI requirements is no longer sufficient,” said Kristin Lovejoy, director of strategy for Governance and Risk Management at IBM. “As a global leader in security technology and consulting services, IBM has the knowledge and expertise to provide a comprehensive solution for helping merchants comply with the PCI standard.”

Only IBM Helps Organizations Address All 12 Requirements

The PCI Data Security Standard is a set of 12 requirements for safeguarding payment card data. These requirements range from installing and maintaining firewall configurations to encrypting transmission of cardholder data and maintaining proper policies and testing procedures.

To help customers meet all 12 of these requirements, the IBM PCI solution includes consulting services for compliance gap analysis, remediation, validation, ongoing testing and reporting, as well as a range of products that help organizations with each aspect of security planning, management and compliance reporting. For example, IBM can offer security process assessment, security information and event management, storage management, encryption, identity and access management, change and configuration management, intrusion prevention systems, application layer testing and user activity monitoring software. Additionally, IBM is one of only three companies in the world that is globally certified to perform PCI Assessments, PCI Quarterly Network Scanning, PCI Payment Application Assessments and PCI Incident Response Services.

IBM implements its PCI solution through a five-phase program that includes the following elements:

* Assessment - This includes an overall “security health check” to understand areas for remediation and how to become and remain compliant.
* Design - This phase involves development of security strategy, policies, standards and procedures, as well as incident response planning, security architecture design and implementation planning.
* Deployment - This phase focuses on implementation and optimization of security software and hardware to help secure customer data, both in motion and at rest, as well as on migration services and vulnerability remediation.
* Management - IBM provides ongoing support on this phase with security monitoring and management software solutions, as well as staff augmentation and emergency response, forensic analysis and threat-analysis services.
* Education - IBM provides ongoing product courses, training and security awareness programs so customers can appropriately train personnel to maintain PCI compliance over the long term.

In addition to current product and service offerings, IBM is also adding specific PCI compliance capabilities to its IT Governance and Risk Management portfolio. For example, IBM Internet Security Systems recently upgraded the IBM Proventia Network Enterprise Scanner product with several PCI-specific vulnerability checks to simplify the process of performing network vulnerability assessments as part of a PCI compliance program. Additionally, the IBM Proventia Network Multifunction Security unified threat management solution alone addresses 10 of the 12 PCI security requirements in a single product.

IBM Tivoli Compliance Insight Manager, a software solution providing an audit and compliance dashboard and reporting engine, now also includes a PCI DSS Module with a series of report templates specifically designed to demonstrate an organization’s policy compliance. Additionally, the IBM portfolio now also includes IBM Rational AppScan to support PCI DSS mandates by automating application layer vulnerability and penetration testing to identify common and new vulnerabilities throughout the software development lifecycle from development to operations.

IBM also offers the ability for customers to leverage their current mainframe investments for PCI audits. To satisfy auditors, the mainframe offers fortress-like security mechanisms such as secure access controls and encryption solutions, and network security features like built-in intrusion detection services and network security policy agents. Together, these elements can help mitigate identity theft.

In addition to providing products and services, IBM can assist clients with compliance efforts through the deep knowledge, experience and guidance of its security consulting team.