The clarification document is available here:  https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf

A few comments:

We are very pleased that the document highlights the value of defense in depth strategies.

While it specifies that testing can be performed by internal resources, so long as they are independent from the development organization, it also clarifies the role of 3rd party testing organizations like QuietMove:

 ”While the final sign-off/approval of the review/scan results must be done by an
independent organization, it is recommended that reviews and scans also be performed
as early as possible in the development process. Tools should be made available to
software developers and integrated into their development suite as much as practical.”

The Web Application Firewall product selection and configuration criteria are also defined in depth.

Bravo to PCI SSC for clarifying these requirements.

At the Ziff Davis Media Security Management Virtual Tradeshow on Feb, 22, 2007,  “Take Back Control: How to be Secure in a Zero-Day Attack World,” QuietMove Managing Partner Adam Muntner was a featured speaker. The one-day interactive live online event focused on integrating security technology, policy, and practices to defend against constantly evolving threats.

Mr. Muntner’s talk was about “The Importance of Testing Security Awareness Training.” He drew on his experience at designing and managing awareness programs, and how QuietMove uses a combination of “Social Engineering” and “Physical Penetration Testing” to evaluate the effectiveness of security awareness programs.  He discussed how to design a security awareness training program, implement it, and test it’s effectiveness to determine whether the training is aligned with an organizations actual risks. He also discussed how to use this process as a feedback loop for continual awareness metrics and improvement.

The Ziff Davis Media press release is archived here

http://www.ziffdavis.com/press/releases/070221.0.html

The presentaion, which is free but requires registration to view, is archived here:

http://presentations.inxpo.com/Shows/ZiffDavisEnterprise/VTS/02-07/Website/home.htm

Please fill out this Contact Form with your feedback, or if you would like a QuietMove security expert to speak at your event..

Find out more about our MasterCard SDP and PCI Data Security Standard testing and payment card industry security services.
Scottsdale, AZ (July 18, 2006) - QuietMove, an Information Security consultancy recognized as an innovator in assessing enterprise risk, penetration testing, application security, and information security education, announced today that it successfully completed the rigorous MasterCard Site Data Protection (SDP) scanning vendor compliance process. This certification demonstates that QuietMove has the appropriate technical expertise, tools, methodology and reporting processes to deliver an SDP compliant scanning solution. This scanning solution is now mandatory for processors of MasterCard and Visa credit cards.

By completing the MasterCard SDP Scanning Vendor certification process, QuietMove is now approved to officially certify it’s customers compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) on a quarterly basis. QuietMove is now allowed to perform security scans which evaluate the security perimeter of Merchants, Service Providers, Third Party Processors (TPP), and Data Storage Entities (DSE) web sites and Internet presence. PCI standards require that all online merchants processing 20,000 or more e-commerce transactions per year must undergo regular, quarterly testing by a SDP Compliant third party scanning vendor such as QuietMove.

It is extremely important that Merchants, Service Providers, TP, and DSE become compliant with the PCI Data Security Standard to avoid potential fines and being barred from processing credit cards. Visa and Mastercard can impose fines of up to $500,000 per event for non compliance and security compromises. QuietMove is now certified to provide the testing and documentation that it’s customers have taken due care to support their information assets.

“Achieving MasterCard SDP approved Scanning Vendor status demonstrates our commitment to investing in vertically focused regulatory compliance security solutions,” said Jeffrey Rassas, CEO of QuietMove. “We will continue to invest in our portfolio of comprehensive security solutions which identify, analyze, model, and reduce threats to our customers information assets. We are excited to have achieved recognition of our efforts by MasterCard.”

“We recognize that our clients expect more than an automated scanner. Our PCI services treat compliance as more than a checkbox,” said Adam Muntner, a certified CISSP and President of QuietMove. “By utilizing our experienced, professional consultants to use two PCI Approved automated scanning solutions to help eliminate false positives and negatives, performing manual validation of all results, identifying strategic changes which will prevent new vulnerabilities from being introduced into our customers environments in the future, and reviewing the results with our customers to ensure they have the skills and knowlege to remediate them, we offer a true consultative service. I designed our methodology to help our clients get in front of the threat rather than just telling them which patches to apply on a quarterly basis. We fill the gap between compliance and true security.”

About QuietMove
QuietMove is a trusted provider of risk assessment and security solutions designed to protect our customer’s information assets and business processes with end to end, multi-layered security solutions that align security resources with business risk. We secure the nexus between people, technology, and data to protect our clients from known and emerging threats.Founded by IT Security and e-Commerce industry veterans with decades of experience, QuietMove is uniquely qualified to advise our clients on the deployment of their security resources where they matter most.

About MasterCard SDP
The MasterCard Site Data Protection Program is a proactive, cost-effective, global solution offered by MasterCard through its acquiring members. The program provides acquiring customers with the ability to deploy security compliance programs, assisting online merchants and Member Service Providers to better protect against hacker intrusions and account data compromises. The program takes a proactive approach to security by identifying common possible vulnerabilities in a merchant web site and makes recommendations for short-and long-term security improvements. The solution addresses the security issues that online merchants and their acquiring banks face in the virtual world, and concerns arising from these issues, such as Internet fraud, chargebacks, brand image damage, consumer information safety and privacy and the cost of replacing stolen account numbers.

QuietMove’s SDP Certified Scanning Vendor Certificate Number is 4140-01-02.