PCI Compliance Solution Brief Web Browsers: Your Weak Link in Achieving PCI Compliance Critical Security Gaps in Web Browsers Create Significant Risks Does your company process credit card information via a browser? Data loss from theft or leaks, malware and Man-in-the-Browser attacks—all of the risks involved in delivering information through web browsers has led to the development of a wide range of security policies to achieve PCI compliance. Even if you believe your organisation is compliant, critical security gaps remain in the current standard technologies used to meet the requirements. Gaps in Your Encryption PCI Requirement 3 mandates organisations must protect stored cardholder data. Encryption is the preferred and most widely used technology for this requirement. However, if you’re using a web-based processing or payment application, any credit card processing conducted in the web browser leaves the data at risk. All the encrypted data is unencrypted when it’s rendered in the browser on the endpoint and in use. Data can remain in the web browser cache in clear text format, where it can be easily extracted by either malware or end users. Even simple, everyday tasks such as cut, copy, paste and screen capture put sensitive data in the system-wide clipboard, which is also rendered in clear text format and easily accessible, even after the web session has ended. In addition, stored user names and passwords from browser sessions remain available in the authentication cache and vulnerable to malware. Does Your Antivirus Prevent Malware Infections or Zeus Attacks? Endpoint security and antivirus effectiveness are an on-going debate; however, the use of and reg- ular updates of antivirus software or internet security programs to prevent malware infections are still a PCI requirement. In their 2011 Banking Security Test, MRG Effitas reported that of 27 Internet Security products tested on Windows 32-bit and Windows 64-bit computers, only a handful were effective in preventing the Zeus botnet. Their report went on to conclude that, based on evidence from their research, users need to employ additional security measures on top of traditional anti-virus or internet security suites to counter threats posed by modern malware. The use of compensating controls to increase protection levels should include securing the browser session even when malware is present. While keeping antivirus maintained and updated sounds simple, the Verizon 2011 PCI industry compliance report states that only 64% of companies they tested for PCI compliance achieved this in 2010. It’s also interesting to note that of the breach incidents Verizon investigated, only 47% of those companies had complied with this requirement. Browser security that is delivered as part of the application will ensure the latest controls are always up to date and turned on as a mandatory part of the application. Challenges to Your Web Application Security The shift to web applications and cloud services has also created additional PCI compliance challenges. Requirement 6 states that organisations must develop and maintain secure systems and applications. Demonstrating security controls built in your own in house applications can be challenging—many are legacy systems in which PCI Compliance Solution Brief comprehensive security controls likely don’t exist. Many organisations are also using web-based payment applications supplied by their bank to process transactions, leaving them no control over critical security updates and patches. Quarri Protect On Q (POQ) enables organisations to control and protect browser session content from theft or data leakage by malware and end users, both careless and malicious. POQ provides zero-hour malware defense against keylogging, framegrabbing, cache mining and othBuilding security into er attacks that may be the application can be introduced through a “Quarri Protect On Q (POQ) helps clients impractical, expensive user’s web browser, or simply not possible. achieve and maintain PCI compliance by even from malware However, it is possiaddressing a variety PCI issues, including embedded on comble to build security promised client comdata encryption and application security, into the browser sesputers. As it’s not sigthat have historically been difficult to sion, something you nature-based, it offers solve. With its on demand deployment, do have control over. a much higher level of POQ also acts as a compensating control Making the browser compensating controls for endpoints that don’t have the latest secure from local malthan standard antivirus ware threats protects security updates installed. And its data software. POQ is dedata from keyloggers, theft protections also ensure organisations livered on demand as screen scraping and can prevent replication of confidential dapart of the application cache raiders. Enbrowser, with no clita by careless or malicious end crypting and deleting ent installation. All users.” data written from the browser session data Andy Dalrymple browser to the local is encrypted and digiPCI QSA cache, preventing the tally shredded when PTP Consulting the session ends. In cut, copy, paste, print and screen capture addition, central log features and delivering files of all user activity this secure web browser protection as part of enable compliance with PCI auditing requirethe application closes many of the current secuments. rity gaps in meeting PCI requirements. POQ also helps organizations mitigate risk by Closing Web Browser Gaps in PCI providing data leakage protection that controls Compliance the user’s ability to replicate confidential data. POQ blocks users from copying, printing, screen Quarri Technologies, Inc. is a security software -capturing or saving sensitive web information, company that empowers organizations to keep including from browser-launched processes like their sensitive data secure. Adobe Acrobat and Microsoft Office. Quarri Technologies, Inc. 7500 Rialto Blvd. Building 2, Suite 210 Austin, TX 78735 www.quarri.com 1.866.248.3990 US +1.512.590.7731 +1.512.777.5005 Fax email@example.com © 2011 Quarri Technologies, Inc.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project