November 01, 2007 06:05 ET
IBM Announces Industry's First End-to-End Solution for PCI Compliance
New Five-Phase Program Designed to Help Customers Meet All 12 PCI Requirements
ARMONK, NY--(Marketwire - November 1, 2007) - IBM (NYSE: IBM) today announced a new program
that provides products and services to help customers achieve compliance
with the Payment Card Industry Data Security Standard (PCI DSS). Unlike
competitive offerings, the comprehensive program is designed to take
companies through the entire PCI compliance process, from assessment to
compliance to certification, helping them meet all 12 PCI requirements for
safeguarding customer payment card data.
PCI is a global standard that applies to any company that processes,
transmits or stores credit card information. The standard was created by
credit card companies to help organizations prevent security breaches. Any
company that processes credit card data today could be threatened by
cyber-crime attacks, resulting in customer identity theft. Those companies
that do not achieve PCI compliance could have their ability to process
credit cards revoked, or could face increased processing costs. Given the
far-reaching impacts security threats can have on organizations,
non-compliant companies risk significant financial and customer losses and
damaging effects on brand reputation.
Hughes, the world's leading provider of broadband satellite networks and
services, selected IBM to take its HughesNet® broadband network service
through the PCI compliance process.
"As a leading managed services provider to major enterprises, Hughes
strives to provide a wide range of services and applications to our
customers," said Mike Cook, senior vice president, Hughes. "PCI DSS
compliance is critical to our customers' operations, and it is imperative
that the network services we provide meet those requirements. IBM's
comprehensive program took us successfully through the entire process, from
assessment through to certification."
Despite the threats of fines and a recent rash of high-profile data
breaches, the rate of PCI compliance is estimated to be less than 50
percent. In fact, according to a report by industry analyst firm Gartner,
Inc., Visa USA indicates that, as of July 2007, 39 percent of level-one
merchants (defined as those that process more than 6 million transactions
annually) and 33 percent of level-two merchants (defined as those that
process between 1 million and 6 million transactions annually) are
compliant with the PCI Data Security Standard.(1)
"As many merchants have learned in recent years, meeting some or even most
of the mandated PCI requirements is no longer sufficient," said Kristin
Lovejoy, director of strategy for Governance and Risk Management at IBM.
"As a global leader in security technology and consulting services, IBM has
the knowledge and expertise to provide a comprehensive solution for helping
merchants comply with the PCI standard."
Only IBM Helps Organizations Address All 12 Requirements
The PCI Data Security Standard is a set of 12 requirements for safeguarding
payment card data. These requirements range from installing and maintaining
firewall configurations to encrypting transmission of cardholder data and
maintaining proper policies and testing procedures.
To help customers meet all 12 of these requirements, the IBM PCI solution
includes consulting services for compliance gap analysis, remediation,
validation, ongoing testing and reporting, as well as a range of products
that help organizations with each aspect of security planning, management
and compliance reporting. For example, IBM can offer security process
assessment, security information and event management, storage management,
encryption, identity and access management, change and configuration
management, intrusion prevention systems, application layer testing and
user activity monitoring software. Additionally, IBM is one of only three
companies in the world that is globally certified to perform PCI
Assessments, PCI Quarterly Network Scanning, PCI Payment Application
Assessments and PCI Incident Response Services.
IBM implements its PCI solution through a five-phase program that includes
the following elements:
-- Assessment - This includes an overall "security health check" to
understand areas for remediation and how to become and remain compliant.
-- Design - This phase involves development of security strategy,
policies, standards and procedures, as well as incident response planning,
security architecture design and implementation planning.
-- Deployment - This phase focuses on implementation and optimization of
security software and hardware to help secure customer data, both in motion
and at rest, as well as on migration services and vulnerability
-- Management - IBM provides ongoing support on this phase with security
monitoring and management software solutions, as well as staff augmentation
and emergency response, forensic analysis and threat-analysis services.
-- Education - IBM provides ongoing product courses, training and
security awareness programs so customers can appropriately train personnel
to maintain PCI compliance over the long term.
In addition to current product and service offerings, IBM is also adding
specific PCI compliance capabilities to its IT Governance and Risk
Management portfolio. For example, IBM Internet Security Systems recently
upgraded the IBM Proventia Network Enterprise Scanner product with several
PCI-specific vulnerability checks to simplify the process of performing
network vulnerability assessments as part of a PCI compliance program.
Additionally, the IBM Proventia Network Multifunction Security unified
threat management solution alone addresses 10 of the 12 PCI security
requirements in a single product.
IBM Tivoli Compliance Insight Manager, a software solution providing an
audit and compliance dashboard and reporting engine, now also includes a
PCI DSS Module with a series of report templates specifically designed to
demonstrate an organization's policy compliance. Additionally, the IBM
portfolio now also includes IBM Rational AppScan to support PCI DSS
mandates by automating application layer vulnerability and penetration
testing to identify common and new vulnerabilities throughout the software
development lifecycle from development to operations.
IBM also offers the ability for customers to leverage their current
mainframe investments for PCI audits. To satisfy auditors, the mainframe
offers fortress-like security mechanisms such as secure access controls and
encryption solutions, and network security features like built-in intrusion
detection services and network security policy agents. Together, these
elements can help mitigate identity theft.
In addition to providing products and services, IBM can assist clients with
compliance efforts through the deep knowledge, experience and guidance of
its security consulting team.
For more information regarding IBM's PCI compliance offerings, please
For more information about IBM, please visit www.ibm.com.
(1) Gartner, Inc., "PCI Questions Are Often Clearer Than Their Answers," by
Avivah Litan and John Pescatore, August 7, 2007.