Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

PCI DSS 1.2 Requirement QualysGuard Coverage of PCI Req. SUITE

1.4 Install personal firewall software on any mobile and/or employee-owned com-puters with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

QualysGuard is able to check for presence of personal firewalls deployed on servers, desktops and laptops remotely.

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords & Other Security Parameters

2.1 Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network manage-ment protocol (SNMP) community strings, and elimination of unnecessary accounts.

QualysGuard can be used to verify that vendor defaults are not used by checking for default and system accounts on servers, desktops and network devices.

2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryp-tion technology for authentication and transmission.

QualysGuard can be used to verify that default settings and default passwords are not used across wireless devices connected to the wired network.

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

QualysGuard can effectively and automatically validate the compliance of deployed systems to configuration standards, mandated by PCI DSS.

2.2.2 Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to per-form the device’s specified function).

QualysGuard can help discover systems on the network as well as detect the network-exposed services that are run-ning on systems and thus significantly reduce the effort needed to bring the environment in compliance.

Mapping Qualysguard suite to the pCi data seCurity standard reQuireMents

B R I E F

PCI DSS 1.2 Requirement QualysGuard Coverage of PCI Req. SUITE

2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, sub-systems, file systems, and unnecessary web servers.

QualysGuard can help discover some of the insecure and typically unnecessary functionality exposed to the network and thus significantly reduce the effort needed to bring the environment in compliance.

2.3 Encrypt all non-console administra-tive access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

QualysGuard can help validate that encrypted protocols are in use across the systems and that unencrypted com-munication is not enabled on servers and workstations (SSH, not telnet; SSL, not unencrypted HTTP, etc).

Requirement 3: Protect Stored Cardholder Data

3.4 Render PAN, at minimum, unreadable anywhere it is stored (including on por-table digital media, backup media, in logs).

QualysGuard can confirm that encryption is in use across the PCI in-scope systems by checking system configuration settings relevant to encryption.

3.5 Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.

QualysGuard can be used to validate security settings relevant to protection of system encryption keys.

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

QualysGuard can be used to validate the use of strong cryptographic pro-tocols by checking relevant system configuration settings as well as detect instances of insecure cipher use across the in-scope systems.

4.1.1 Ensure wireless networks transmit-ting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.

QualysGuard can attempt to detect wireless access points from the net-work side and to validate the use of proper encryption across these access points.

Requirement 5: Use and Regularly Update Anti-Virus Software or Programs

5.1 Deploy anti-virus software on all sys-tems commonly affected by malicious software (particularly personal computers and servers).

QualysGuard can validate whether anti-virus software is installed on in-scope systems.

5.2 Ensure that all anti-virus mechanisms are current, actively running, and capa-ble of generating audit logs.

QualysGuard can be used to check for running status of antivirus tools. This feature will be added in 2009.

Mapping QualysGuard Suite to the PCI Data Security Standard Requirements

Requirement 6: Develop and maintain Secure Systems and Applications

PCI DSS 1.2 Requirement QualysGuard Coverage of PCI Req. SUITE

6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.

QualysGuard can be used to detect missing OS and application patches and security updates.

6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet).

QualysGuard is constantly updated with new vulnerability information and can be used in the process of tracking newly discovered vulnerabilities.

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applica-tions via manual or automated appli-cation vulnerability security assess-ment tools or methods, at least annually and after any changes.

QualysGuard can be used to assess Web application security.

Requirement 7: Restrict Access to Cardholder Data By Business Need-to-Know

7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.

QualysGuard can analyze database user right and permissions, looking for broad and insecure permissions.

Requirement 8: Assign a Unique ID to Each Person with Computer Access

8.1 Assign all users a unique ID before allowing them to access system com-ponents or cardholder data.

QualysGuard can be used to look for active default, generic accounts (root, system, etc) which indicate that account sharing takes place.

8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:

Password or passphrase

QualysGuard can be used to look for user accounts with improper authenti-cation settings, such as accounts with no passwords or with blank passwords.

8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

QualysGuard can be used to detect system configuration settings, permitting unencrypted and inadequately encrypted passwords across systems.

Mapping QualysGuard to the PCI Data Security Standard

PCI DSS 1.2 Requirement QualysGuard Coverage of PCI Req. SUITE

8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components.

QualysGuard can be used to validate an extensive set of user account security settings and password security param-eters across systems.

Requirement 11: Regulary Test Security Systems and Processes

11.1 Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.

QualysGuard can attempt to detect wireless access points from the network side thus to help the detection of rogue access points.

11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topol-ogy, firewall rule modifications, product upgrades).

QualysGuard is used to scan for vul-nerabilities both from inside and from outside the network. Qualys is an Approved Scanning Vendor (ASV) by the PCI Council and can be used for both external scanning or ongoing internal scanning.

Mapping QualysGuard Suite to the PCI Data Security Standard Requirements

© Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 01/09

USA – Qualys, Inc. • 1600 Bridge Parkway, Redwood Shores, CA 94065 • T: 1 (650) 801 6100 • sales@qualys.comUK – Qualys, Ltd. • 224 Berwick Avenue, Slough, Berkshire, SL1 4QT • T: +44 (0) 1753 872101Germany – Qualys GmbH • München Airport, Terminalstrasse Mitte 18, 85356 München • T: +49 (0) 89 97007 146France – Qualys Technologies • Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie • T: +33 (0) 1 41 97 35 70Japan – Qualys Japan K.K. • Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo • T: +81 3 6860 8296 Hong Kong – Qualys Hong Kong Ltd. • 2/F, Shui On Centre, 6-8 Harbour Road, Wanchai, Hong Kong • T: +852 2824 8488

www.qualys.com

QualysGuard Suite consists of QualysGuard Vulnerability Management, QualysGuard Policy Compliance, QualysGuard Web Application Scanning and QualysGuard PCI. All four solutions are delivered via an integrated Software-as-a-Service (SaaS) platform with no new software to deploy or infrastructure to maintain.