Fortify Software

Fortify Software

Home Solutions Retail/PCI

Retail/PCI

Industry Situation

Any organization that stores or process credit card information has to comply with the Payment Card Industry (PCI) Data Security Standards (DSS). First developed in 2005, and revised in 2006, the PCI DSS outlines a series of IT initiatives that organizations must adopt. One critical component of these mandates focuses on application layer security. Specifically, the PCI DSS mandates that all organizations:

  • Review custom application code to identify coding vulnerabilities
  • Cover prevention of common coding vulnerabilities in software development processes
  • Develop all web applications based on secure coding guidelines such as the OWASP guidelines
  • Conduct an application layer penetration test

And, on June 30th, 2008, all organizations must:

"Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

  • Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
  • Installing an application layer firewall in front of web-facing applications"

Key Challenges for Passing PCI

  • Poorly coded Web applications leading to SQL injection vulnerabilities is one of the top five reasons for a PCI audit failure
    - Forrester Research
  • In 2006, section 6 (Develop and Maintain secure systems and applications) was the 9th biggest problem for companies. In 2007, it was the 2nd biggest problem
    - Qualys
  • In a sample of 85K forensic cases, cross-site scripting was one of the top 10 vulnerabilities
    - Top Tier US Forensics company
  • 56% percent of organizations fail section 6
    - VeriSign

Fortify PCI Experience

  • Participating Organization of the PCI Council
  • Member of the ICSA Labs Web Application Firewall Consortium
  • The only vendor who enables both source code reviews and application firewalls
  • Two of the top 5 Online US retailers chose Fortify to secure their applications
  • Merchants of all sizes have selected Fortify to help them pass PCI audits

Helpful Industry Links

How Fortify can Help

Fortify offers a comprehensive suite of solutions, called Fortify 360, which enables an organization to conduct static analysis of an application’s source code, dynamic analysis of a running application, and real time monitoring and protection for a deployed application. No other company offers all three of these solutions in one integrated platform. For a company trying to pass PCI compliance, Fortify is the solution to deal with all application layer requirements, whether it be a dynamic security test, a code review, or an application layer firewall. Fortify is trusted by organizations of all sizes to help pass PCI compliance audits and is at the cutting edge of vulnerability research, tool development, and deployment practices.

Sign up for a Free Trial

Contact me about products from Fortify Software

Contact Fortify Software

Downloads

© 2008 Fortify Software Inc., Headquartered in San Mateo, CA USA, (650) 358-5600

eNewsletter Sign Up | Software Security Blog | Contact Us | Privacy