SOURCE: ArcSight

September 24, 2007 08:00 ET

ArcSight Debuts Industry-Leading, Comprehensive, Scalable and Cost-Effective PCI Protection Solution

AirTran Airways, BFS Retail and Commercial Operations, LLC, OfficeMax and Princess Cruises Select ArcSight PCI Protection Suite to Safeguard Cardholder Data and Enforce PCI Compliance

CUPERTINO, CA--(Marketwire - September 24, 2007) - ArcSight, Inc., a leader in enterprise security and compliance management solutions, today announced the ArcSight PCI Protection Suite, an integrated solution that empowers merchants and processors to safeguard their organizations from cardholder or customer data breaches, insider threats and non-compliance risks across the breadth of PCI DSS requirements, thereby protecting their brand and customer trust. The ArcSight PCI Protection solution comprehensively monitors compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and is built on the award-winning ArcSight platform, which provides a foundation for compliance efforts across industry standards and government regulations. The ArcSight PCI Protection Suite is a comprehensive, scalable and cost-effective solution for protecting cardholder data and monitoring ongoing PCI compliance. Level 1 and 2 merchants across the retail, transportation, telecommunications, medical and financial markets have already selected the ArcSight PCI Protection Suite to secure their customers against the growing global threats to cardholder identity and data privacy.

The ArcSight PCI Protection Suite proactively protects cardholder data against breaches, insider threats and non-compliance risks across all 12 PCI requirements through:

--  Real-time monitoring and early-warning breach detection across all
    users, applications, databases and other PCI-impacted IT infrastructure.
--  Automatic and continuous capture, storage and analysis of all events
    across distributed locations.
--  Efficient compliance-posture validation and visibility.
    

Announced customers include AirTran Airways, a subsidiary of AirTran Holdings, Inc., one of America's largest low-fare airlines; BFS Retail and Commercial Operations, LLC, the world's largest chain of company-owned car care centers; OfficeMax, a leading provider of office equipment and services; and Princess Cruises, one of the most recognized cruise lines in the world.

"AirTran Airways operates over 700 flights daily to over 55 destinations, and passengers primarily use major credit cards to purchase tickets," said Michelle Stewart, manager of data security, AirTran Airways. "Our customers place a high degree of trust in us to ensure that their credit card information is protected to the utmost level. We have been proactive with this objective and have selected ArcSight's PCI solution toolset to provide the most reliable protection available today."

Merchants Challenged by Compliance as Risks of Customer Data Breaches Increase

Data breach incidents have become more prevalent and sophisticated in the last few years, with more than 165 million breaches recorded since 2005 (source: Privacy Rights Clearinghouse). In 2006, the average cost per breach was $182 per customer record, including direct incremental costs and lost productivity, as well as negative impact to a corporate brand (source: Ponemon Institute).

"Ensuring customer trust and protecting customer privacy are mission critical to our business at Princess Cruises," said Claude Gigoux, manager, networks and telecommunications, Princess Cruises. "We chose ArcSight initially to help us with other business process and compliance issues. Now we are expanding our deployment to protect customer data on mainframe applications against both internal and external threats and to provide compliance in an automated way to SOX, PCI and other regulations."

Even though upcoming September 30 and December 31 penalty deadlines focus the spotlight on PCI, merchants are challenged to comply in time for a variety of reasons. The 12 PCI guidelines span not only point-of-sale (POS) systems that actually handle the credit card data directly, but the entire underlying infrastructure that interconnects a payment system. Customer and cardholder data can be strewn throughout a merchant's infrastructure, with brick-and-mortar retail outlets often the most vulnerable to risk (based on existing data breach cases) and where the biggest technical challenges of deployment exist. In many cases, merchants are saddled with an infrastructure that has reached its technical limits and cannot provide all the functionality mandated by PCI. Required audits and audit preparation cycles are expensive in both technology and labor to implement, support and test. PCI itself is a moving target, as requirements are expected to continue to evolve over time; and furthermore, being PCI compliant does not ensure an organization against damaging cardholder breaches, which prominent retailers can attest to.

The ArcSight PCI Protection Suite helps merchants cost-effectively address these challenges, providing the following clear benefits:

--  Comprehensive automated monitoring across PCI-affected assets to
    reduce workload and to eliminate human error associated with manual
    monitoring.
--  Centralized monitoring and distributed data collection at remote
    sites, with support for hundreds of devices and applications, including
    legacy systems, to provide organizations overall visibility into their
    distributed cardholder infrastructure and networks.
--  Continuous oversight of PCI controls and automated test procedures to
    meet fiduciary responsibility efficiently.
--  Support for current and evolving compliance and governance initiatives
    for continued life-cycle value.
    

"With the September 30 and December 31 deadlines just around the corner, companies are actively working to address their data security deficiencies, but many of them simply cannot implement all the PCI requirements overnight," said Robert Shaw, CEO, ArcSight. "Over the last 6 months we've seen an increase in the number of customers looking for an automated PCI monitoring solution that provides continuous real-time protection against data breaches in out-of-PCI-compliance networks while also reducing costly and labor-intensive manual compliance efforts. ArcSight's PCI Protection Suite enables these customers to address PCI compliance throughout their distributed retail infrastructure with complete and ongoing visibility into their security and compliance posture."

"The Government Accountability Office (GAO) recently reported that the average cost of a data breach is approximately $1.4 million; and most organizations, including BFS Retail and Commercial Operations, LLC, are doing their best to avoid that extra cost," said Robert C. Warner, executive director, retail information systems, BFS Retail and Commercial Operations, LLC. "Our customers are the core of our business, and we do everything in our power to make sure they're satisfied and their information is safe when doing business with us. This is why we selected ArcSight for PCI compliance; we needed a vendor that would help ensure that our customers' data is secure."

Details of the ArcSight PCI Protection Suite

ArcSight's PCI Protection Suite builds upon the award-winning ArcSight product family and is designed to provide automated, real-time event capture, cost-effective long-term storage and sophisticated analytics across a merchant's card data-flow infrastructure.

The ArcSight PCI Protection Suite is designed for ease of deployment, flexibility and cost-effective life-cycle support of remote sites. ArcSight's unique support for highly distributed environments provides a secure foundation that is centrally managed but easily deployed across a massively dispersed network with large numbers of diverse IT elements and business applications. Merchants can install low-cost, plug-and-play collector appliances at branches or retail locations, or can implement remote collection capabilities in software. Administrators can centrally control, manage and maintain configurations across hundreds or thousands of remote sites. To support remote retail locations that are constrained by low-speed WAN connections, the ArcSight solution provides built-in bandwidth controls so that POS transactional data is not adversely affected by log collection traffic. The solution automatically reprioritizes high severity events for early detection of breaches. Local caching at remote sites provides added protection in the event of extended connectivity loss between remote sites and data centers. The system encrypts logs before forwarding them to a centralized log repository.

ArcSight's PCI Protection Suite automates the collection and monitoring of events from more than 185 different devices and applications, including firewalls, IDSs, switches/routers, network appliances, web servers, databases, applications, application servers, mail servers, authentication servers, kiosks, POS systems and card scanners. The ArcSight solution can collect data for PCI events at rates ranging from hundreds of events per second to hundreds of thousands of events per second and can correlate events from hundreds of thousands of sources.

Once enterprise wide event data is collected, prepackaged analytics in the form of PCI-specific rules, dashboards and reports give merchants the "big picture" view of the state of protection across PCI-impacted assets and the 12 PCI requirements. As a result, merchants, service providers and processors that store, process or transmit cardholder data are better equipped to run efficient and effective PCI compliance programs to truly protect their cardholder data.

ArcSight's PCI insider threat early-warning system watches users that interact with PCI-impacted assets to get an overall view of activity and to detect suspicious behavior before an actual breach occurs. Should a violation or potential threat arise, ArcSight's response management system provides notification, quarantine and remediation options, enabling intelligent identification, prioritization and response.

The ArcSight PCI Protection Suite also delivers strong configuration management capabilities for security and network devices including routers, switches, VPN devices, firewalls and wireless access points. Through a combination of automated device discovery, network topology visualization, and configuration change detection, auditing and workflow, organizations can easily and cost effectively enforce configuration best practices.

Pricing and Availability

The ArcSight PCI Protection Suite is currently available in a variety of configuration and pricing packages designed to best fit customer needs and deployment environments; packages start at $20,000 (US list). Beyond the comprehensive suite that monitors and protects against breaches and non-compliance across all 12 PCI requirements, options exist for requirement 10 only, and for requirements 1 and 2 only.

Components include:

--  ArcSight ESM: Delivers continuous and thorough cardholder data breach
    detection, monitoring and compliance assessment through centralized event
    analysis via a powerful cross-device correlation engine and sophisticated
    analysis tools that use rules, dashboards and reports.
--  ArcSight Logger: Delivers advanced high performance log collection,
    cost effective archival and analysis of PCI-related log data.
--  ArcSight Connectors: Delivers the industry's broadest and deepest
    event collection support spanning the PCI-impacted IT infrastructure,
    including custom sources, in-house applications and physical access points,
    and can be deployed as software or in Connector Appliances.
--  ArcSight Threat Response Manager (TRM): Delivers PCI breach
    remediation workflow through threat isolation, impact analysis,
    notification and quarantining options.
--  ArcSight Network Configuration Manager (NCM):  Delivers sophisticated
    network configuration, monitoring and audit controls to enforce PCI audit
    requirements and monitor regulatory compliance across heterogeneous
    networks.
--  ArcSight PCI Insider Threat Protection Package:  Delivers a
    sophisticated early warning system that detects insider threats to PCI-
    impacted assets before breaches occur.
--  ArcSight Compliance Insight Package for PCI:  Delivers prepackaged
    rules, dashboards and reports that satisfy PCI compliance reporting and
    auditing requirements.
    

For sales information, contact info@arcsight.com or call (408) 864 2600.

About ArcSight

ArcSight is a leading provider of security and compliance solutions that intelligently identify and mitigate business risk and deliver a centralized view of enterprise-wide events across heterogeneous infrastructures. This real time and historic view into external attacks, insider threats and regulatory compliance provides enterprises, MSSPs and government agencies with the intelligence and response capabilities required to effectively protect and manage their networks and their businesses. For more information, see www.arcsight.com. ArcSight, The ArcSight logo, ArcSight Logger, ArcSight TRM and ArcSight NCM are trademarks of ArcSight, Inc.

Contact Information