Dec 28 — Imperva Inc., a provider of application data security and compliance, announced recently that MarketLive Inc., a provider of global e-commerce solution for retailers, has achieved the highest-level Payment Card Industry (PCI) Data Security Standard (DSS) compliance using the SecureSphere Web Application Firewall (WAF), Imperva said.
With the help of Imperva, MarketLive’s e-commerce platform, which powers some of successful retail web sites, including Frontgate, Gump ‘s, Norm Thompson, Stride Rite, Sur La Table, and Sundance Catalog, now meets the new PCI DSS 1.1 requirement for protecting cardholder data with application-layer security, Imperva said.
With the help of Imperva’s Web Application Firewall, MarketLive has achieved PCI certification as a Level 2 Payment Card Industry service provider, MarketLive said. As a result, its clients will not have to scramble to meet the June 2008 PCI 6.6 compliance deadline, the company said.
Imperva is a provider of application data security and compliance. Leading enterprise and government organizations rely on Imperva to prevent data theft and abuse, and ensure data integrity, Imperva of Foster City, California said. Its SecureSphere products provide data governance and protection solutions that monitor, audit and secure business applications and databases, it added.
The Imperva SecureSphere products deliver practical solutions to protect sensitive data in the databases, web applications, and web services that support business critical systems, Imperva said. SecureSphere assesses, monitors, and audits all access to an organization ‘s databases, and tracks and controls user activity through web applications and web services. With SecureSphere, organizations have an automated, proven means to achieve and document regulatory compliance. SecureSphere uniquely saves time and IT resources by operating transparently with no changes to existing infrastructure and dynamically, requiring no manual tuning, the company said.
As a provider of e-commerce platforms for retail web sites that process credit card data, MarketLive had two options with respect to PCI compliance, either to build PCI controls on a case by case basis, which would require performing a mini audit for each customer, or to achieve PCI DSS compliance for the MarketLive platform, which entails putting MarketLive inside the PCI reporting chain, Imperva said.
MarketLive elected to become PCI compliant. Upon reviewing the requirements of PCI DSS v1.1, MarketLive decided to augment a code review with a Web Application Firewall to improve security and reduce its compliance burden, the company said.
For PCI Section 6.6, MarketLive realized it made no sense to rely on code reviews alone, it said. The idea of doing a code review both on an annual basis and a per release basis was not appealing due to the time, effort, and frequency of software version updating and enhancement involved, MarketLive added.
As more Imperva customers become PCI certified, many find that, like MarketLive, a key driver is the ability not only to enhance security but also to reduce the cost of compliance, Imperva said. SecureSphere meets this requirement with the companyâ€™s patent-pending dynamic profiling technology which reduces operational costs of application security by automating policy creation and maintenance, the company said.
The PCI Data Security Council, founded by Visa, MasterCard, Discover, American Express, and JCB Cards, created the PCI DSS to establish and enforce data security standards for merchants, Imperva said. In September 2006, the council introduced PCI DSS version 1.1, which mandates that by June 2008 merchants must ensure that all web-facing applications are protected against known attacks by using either of the following methods, having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security, or, installing an application layer firewall in front of web-facing applications, it said.
Organizations that store, process or transmit cardholder data must comply with the new PCI standard by the deadline or risk fines, sanctions, or a reduction in tier imposed by the PCI Council, Imperva added.