Web Browsers: Your Weak Link in Achieving PCI Compliance

Web Browsers: Your Weak Link in Achieving PCI Compliance
PCI Compliance Solution Brief
Web Browsers: Your Weak Link in Achieving PCI Compliance
Critical Security Gaps in Web Browsers Create Significant Risks
Does your company process credit card information via a browser? Data loss from theft or
leaks, malware and Man-in-the-Browser
attacks—all of the risks involved in delivering
information through web browsers has led to
the development of a wide range of security policies to achieve PCI compliance. Even if you believe your organisation is compliant, critical security gaps remain in the current standard technologies used to meet the requirements.
Gaps in Your Encryption
PCI Requirement 3 mandates organisations must
protect stored cardholder data. Encryption is
the preferred and most widely used technology
for this requirement. However, if you’re using a
web-based processing or payment application,
any credit card processing conducted in the web
browser leaves the data at risk. All the encrypted data is unencrypted when it’s rendered in the
browser on the endpoint and in use. Data can
remain in the web browser cache in clear text
format, where it can be easily extracted by either malware or end users. Even simple, everyday tasks such as cut, copy, paste and screen
capture put sensitive data in the system-wide
clipboard, which is also rendered in clear text
format and easily accessible, even after the web
session has ended. In addition, stored user
names and passwords from browser sessions
remain available in the authentication cache and
vulnerable to malware.
Does Your Antivirus Prevent Malware
Infections or Zeus Attacks?
Endpoint security and antivirus effectiveness are
an on-going debate; however, the use of and reg-
ular updates of antivirus software or internet
security programs to prevent malware infections
are still a PCI requirement. In their 2011 Banking
Security Test, MRG Effitas reported that of 27
Internet Security products tested on Windows
32-bit and Windows 64-bit computers, only a
handful were effective in preventing the Zeus
botnet. Their report went on to conclude that,
based on evidence from their research, users
need to employ additional security measures on
top of traditional anti-virus or internet security
suites to counter threats posed by modern
malware. The use of compensating controls
to increase protection levels should include
securing the browser session even when malware is present.
While keeping antivirus maintained and updated
sounds simple, the Verizon 2011 PCI industry
compliance report states that only 64% of companies they tested for PCI compliance achieved
this in 2010. It’s also interesting to note that of
the breach incidents Verizon investigated, only
47% of those companies had complied with this
requirement. Browser security that is delivered
as part of the application will ensure the latest
controls are always up to date and turned on as
a mandatory part of the application.
Challenges to Your Web Application
Security
The shift to web applications and cloud services
has also created additional PCI compliance challenges. Requirement 6 states that organisations
must develop and maintain secure systems and
applications. Demonstrating security controls
built in your own in house applications can be
challenging—many are legacy systems in which
PCI Compliance Solution Brief
comprehensive security controls likely don’t exist. Many organisations are also using web-based
payment applications supplied by their bank to
process transactions, leaving them no control
over critical security updates and patches.
Quarri Protect On Q (POQ) enables organisations to control and protect browser session
content from theft or data leakage by malware
and end users, both careless and malicious. POQ
provides zero-hour malware defense against
keylogging, framegrabbing, cache mining and othBuilding security into
er attacks that may be
the application can be
introduced through a
“Quarri Protect On Q (POQ) helps clients
impractical, expensive
user’s web browser,
or simply not possible.
achieve and maintain PCI compliance by
even from malware
However, it is possiaddressing a variety PCI issues, including
embedded on comble to build security
promised client comdata encryption and application security,
into the browser sesputers. As it’s not sigthat have historically been difficult to
sion, something you
nature-based, it offers
solve. With its on demand deployment,
do have control over.
a much higher level of
POQ also acts as a compensating control
Making the browser
compensating controls
for endpoints that don’t have the latest
secure from local malthan standard antivirus
ware threats protects
security updates installed. And its data
software. POQ is dedata from keyloggers,
theft protections also ensure organisations
livered on demand as
screen scraping and
can prevent replication of confidential dapart of the application
cache raiders. Enbrowser, with no clita by careless or malicious end
crypting and deleting
ent installation. All
users.”
data written from the
browser session data
Andy Dalrymple
browser to the local
is encrypted and digiPCI QSA
cache, preventing the
tally shredded when
PTP Consulting the session ends. In
cut, copy, paste, print
and screen capture
addition, central log
features and delivering
files of all user activity
this secure web browser protection as part of
enable compliance with PCI auditing requirethe application closes many of the current secuments.
rity gaps in meeting PCI requirements.
POQ also helps organizations mitigate risk by
Closing Web Browser Gaps in PCI
providing data leakage protection that controls
Compliance
the user’s ability to replicate confidential data.
POQ blocks users from copying, printing, screen
Quarri Technologies, Inc. is a security software
-capturing or saving sensitive web information,
company that empowers organizations to keep
including from browser-launched processes like
their sensitive data secure.
Adobe Acrobat and Microsoft Office.
Quarri Technologies, Inc.
7500 Rialto Blvd.
Building 2, Suite 210
Austin, TX 78735
www.quarri.com
1.866.248.3990 US
+1.512.590.7731
+1.512.777.5005 Fax
info@quarri.com
© 2011 Quarri Technologies, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising