The PCI Knowledge Base, launched by PCI Security Vendor Alliance and sponsored by ArcSight, lets organisations share knowledge about and experience with PCI compliance
London, UK – 7th April, 2008 – ArcSight, Inc. (Nasdaq: ARST), a leading global provider of compliance and security management solutions that protect enterprises and government agencies, today announced the availability of a new PCI (Payment Card Industry) Knowledge Base and the findings of a recently fielded PCI research report. The PCI Knowledge Base and research programme were launched by the PCI Security Vendor Alliance. The Knowledge Base programme allows merchants, assessors, bankers, card processors, security vendors and PCI consultants to anonymously share information online on how to become PCI compliant. The findings of the current research report highlight the trends and statistics that have emerged as companies have gone through the process of becoming PCI compliant. ArcSight supported the collection of the data and is a platinum member of the PCI Security Vendor Alliance.
The PCI Knowledge Base contains more than 1,200 separate anonymous comments from merchants, assessors, bankers, card processors, security vendors and PCI consultants, as well as advice from a panel of approximately 30 experts. Visitors to the research programme’s web site can glean findings that include information regarding best practices, lessons learned, experiences, industry trends and more.
“ArcSight supports the research programme as part of our efforts to help companies secure their confidential data and continuously comply with PCI,” said Reed Henry, senior vice president of marketing and business development of ArcSight. “The PCI Knowledge Base is a valuable resource for anyone who wants to learn about PCI compliance and understand how companies have successfully achieved compliance.”
PCI Alliance Research Director David Taylor identified the three most important findings of the programme:
• Many companies have not yet deployed an overarching monitoring and management solution to derive the full benefit of PCI compliance. “The thing that crops up over and over again is that many companies are buying products in order to achieve compliance, but they don’t have the time to manually review all the logs and data which these tools generate,” said Taylor. “They’re overwhelmed by the volume of security data and they don’t have the resources to properly review it. These companies are looking for automated solutions to deal with these issues.”
• Most companies pursue a checklist approach to PCI compliance. The requirement to have 100 percent of PCI controls in place tends to promote the view that all controls are essentially equal. What differentiates the leading-edge companies that are members of the PCI Knowledge Base is that they focus on risk and compliance management across all 12 PCI requirements and use identity monitoring solutions and SIEM platforms to monitor who is doing what and when with which sensitive data.
• Best-in-class companies have achieved operational compliance vs. paper compliance. Best-in-class companies in the Knowledge Base have made complying with PCI, including the automated monitoring of access controls and enforcement, part of their day-to-day operations. The paper checkbox approach has left other companies exposed to threats due to failure to keep up with the demand to manually review logs.
PCI Knowledge Base provides real-world information about PCI compliance
The PCI Knowledge Base shares merchants’ knowledge and experience of PCI compliance anonymously with other merchants as well as with assessors, banks and vendors. Visitors to the PCI Knowledge Base can benefit from their experience, finding out what works, best practices, lessons learned and more.
Following is a sample of the real-world information, advice and experience in the PCI Knowledge Base:
• “We found we were opening over 60 trouble tickets per month, and closing only five of them. Some of these trouble tickets could be potential security breaches. . . If we don't automate this process or get some help, our security management will be come less effective with each passing month.”
• “The best advice I can give others is that they need to reduce the number of places they store data, and eliminate the ability of most persons to copy the data or distribute it. Merely having a policy against it is a small step. Eliminating copies and eliminating the copying functionality are the real controls that companies need.”
To learn more about PCI Compliance, please visit www.knowpci.com to access the PCI Knowledge Base.
For more information on the ArcSight PCI Protection Suite, please visit http://www.arcsight.com/cip_pci.htm.
ArcSight (NASDAQ: ARST) is a leading global provider of compliance and security management solutions that protect enterprises and government agencies. ArcSight helps customers comply with corporate and regulatory policy, safeguard their assets and processes and control risk. The ArcSight platform collects and correlates user activity and event data across the enterprise so that businesses can rapidly identify, prioritise and respond to compliance violations, policy breaches, cybersecurity attacks and insider threats. For more information, visit www.arcsight.com.
ArcSight, the ArcSight logo, ArcSight Logger, ArcSight Threat Response Manager and ArcSight Network Configuration Manager are trademarks of ArcSight, Inc.