Payment Card Industry (PCI) Data Security Standard
The Payment Card Industry (PCI) Data Security Standard is a collaborative effort by Visa, MasterCard, American Express and Discover to ensure the protection of customers' personal information. The standard establishes 12 security requirements to which all members, merchants and service providers must adhere.

Legislative Summary
The PCI Data Security Policy requires that all PCI Data Security Members, merchants, and service providers that store, process or transmit cardholder data verify all purchased and custom web applications, including internal and external (web) applications. Mandated since June 2001, the Visa USA instituted Cardholder Information Security Program (CISP) is intended to protect Visa cardholder data and ensure that members, merchants, and service providers maintain the highest information security standard. In 2004, as a result of a collaboration between Visa and MasterCard, the CISP requirements were incorporated into the PCI Data Security Standard. Visa USA maintains CISP as the managing program for data security compliance endorsing the PCI Data Security Standard. In addition, Visa has developed "Payment Application Best Practices" to assist software vendors in creating secure payment applications that help ensure merchant compliance with the PCI Data Security Standard. Software vendors can validate their payment applications against the recommendations outlined in this document.

Achieving Legal and Regulatory Compliance with SPI Dynamics' Compliance Reports
SPI Dynamics' compliance reports help customers address legal and regulatory compliance for Web applications and Web services. The compliance reports support more than 20 laws, regulations and best practices, including PCI. SPI Dynamics' products run automated security checks against the PCI requirements that pertain to Web application security and produce a PCI compliance report with the results. These policies are customizable so you can tailor the test to meet your specific requirements. All of SPI Dynamics' software security testing products Assessment Management Platform (AMPTM), WebInspectTM, QAInspectTM and DevInspectTM include new compliance reports to help you: Key Benefits of Managed Services: Assess and prove application security throughout the application lifecycle Use application security assessment policies specific to each regulation or customize them to fit your environment Produce security reports tailored to each regulation and categorized by the sections related to application security Stay up to date with changing regulations through immediate SmartUpdateTM of compliance policies and report changes

Start Secure. Stay Secure.TM Security Assurance Throughout the Application Lifecycle

Payment Card Industry (PCI) Data Security Standard
Web Application Requirements for PCI
SPI Dynamics' solutions help you comply with sections 6, 11 and 12 of the PCI data security standard: PCI Requirements Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed via vendor security patches, and all systems should have current software patches to protect against exploitation by employees, external hackers, and viruses. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques. Requirement 11: Regularly test security systems and processes Vulnerabilities are continually being discovered by hackers/researchers and introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and through changes. Requirement 12: Maintain a policy that addresses information security for employees and contractors. A strong security policy sets the security tone for the whole company, and lets employees know what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it. SPI Policy

SPI Dynamics products include the following capabilities that directly support 6, 11 and 12 of the PCI Data Security Standard. Assess Web applications for vulnerabilities that could result in disclosure of sensitive or private information Verify that Web application access to sensitive information is controlled by authentication and authorization Identify Web application command injection vulnerabilities that would allow malicious code or programs to be executed Validate that Web application inputs are properly validated and not vulnerable to command injection or cross-site scripting attacks Ensure that data communication is encrypted Check for vulnerability to denial of service attacks Check for improper application error handling Detailed security assessment reports categorized by PCI sections About SPI Dynamics
SPI Dynamics delivers a comprehensive suite of products and services that help to identify and remediate Web application and Web services security vulnerabilities found at key stages throughout the Web Application Lifecycle. SPI Dynamics solutions enable security professionals, QA testers, and developers to work together to assess, analyze, and remediate Web applications and Web services for security vulnerabilities, and verify compliance with over 20 security policies like SOX, HIPAA and PCI. The Company's unique approach combining patent-pending Intelligent EnginesTM technology with the largest Web application security vulnerability knowledgebase in the industry delivers unparalleled speed and accuracy. SPI Dynamics' research and development team, SPI Labs, is widely recognized as one of the world's leading authorities on Web application security and risk management. The Company has over 750 customers among Global 2000 enterprises, including over 70 U.S. Federal accounts, and has strategic partnerships with Microsoft, IBM, Mercury, CSC and Visa with Visa investing in the Company in 2005. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. For more information on Web application security, visit www.spidynamics.com or call (1.866) 774-2700.

115 Perimeter Center Place, Suite 1100, Atlanta, GA 30346 Tel: 866.774.2700 | Fax: 678.781.4850 | Email: info@spidynamics.com

Copyright ©2006, SPI Dynamics Incorporated. All Rights Reserved.
PCI-090506