The McAfee SECURE TM Standard



Similar documents
McAfee Total Protection Reduce the Complexity of Managing Security

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. Top 10 Questions & Answers

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance Top 10 Questions and Answers

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

PCI Data Security Standards

Two Approaches to PCI-DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard Explained

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry (PCI) Data Security Standard

Overcoming PCI Compliance Challenges

Achieving Compliance with the PCI Data Security Standard

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Barracuda Web Site Firewall Ensures PCI DSS Compliance

How to complete the Secure Internet Site Declaration (SISD) form

How To Protect Visa Account Information

Why Is Compliance with PCI DSS Important?

McAfee Internet Security Suite Quick-Start Guide

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Your Compliance Classification Level and What it Means

The Business Case for Security Information Management

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Western Australian Auditor General s Report. Information Systems Audit Report

PCI DSS Reporting WHITEPAPER

Frequently Asked Questions

PCI Compliance: How to ensure customer cardholder data is handled with care

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Network Intrusion Prevention Systems Justification and ROI

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Payment Card Industry Data Security Standard

Web Applications The Hacker s New Target

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Becoming PCI Compliant

INFORMATION SECURITY TESTING

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI Compliance Updates

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

SecurityMetrics Introduction to PCI Compliance

PROTECTION OF OUR MERCHANTS AND REFERRAL PARTNERS IS OUR FIRST CONCERN

93% of large organisations and 76% of small businesses

McAfee Endpoint Encryption Manager

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Introduction to PCI DSS

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI Security Compliance

PCI DSS Compliance Information Pack for Merchants

locuz.com Professional Services Security Audit Services

PCI Compliance Overview

La règlementation VisaCard, MasterCard PCI-DSS

PCI DATA SECURITY STANDARD OVERVIEW

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Property of CampusGuard. Compliance With The PCI DSS

Ecommerce Guide to PCI DSS 3.0

Westpac Merchant. A guide to meeting the new Payment Card Industry Security Standards

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

March

How To Protect Your Business From A Hacker Attack

PCI Requirements Coverage Summary Table

Web App Security Audit Services

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI DSS Overview and Solutions. Anwar McEntee

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

GFI White Paper PCI-DSS compliance and GFI Software products

Payment Card Industry Compliance Overview

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

PCI: The Dark Side. May 2012 Roanoke, VA

PCI Standards: A Banking Perspective

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI Security Scan Procedures. Version 1.0 December 2004

Security aspects of e-tailing. Chapter 7

Transcription:

The McAfee SECURE TM Standard December 2008

What is the McAfee SECURE Standard? McAfee SECURE Comparison Evaluating Website s Security Status Websites Not In Compliance with McAfee SECURE Standard Benefits of Complying with McAfee SECURE standard 5

The McAfee SECURE standard is an aggregate of industry best practices, designed to provide a level of security that an online merchant can reasonably achieve to help provide consumers with better protection when interacting with websites and shopping online. What is McAfee SECURE standard? In order for a merchant to display the McAfee SECURE trustmark, it is required to submit, at minimum, the target website for auditing and pass the required tests. Sites using Akamai for content distribution should also submit the origin server for audit and review. The website(s) must be audited by McAfee Inc. s Automated Vulnerability Assessment technology on a daily basis without interference by Intrusion Detection or Intrusion Prevention System. The McAfee SECURE data security standard is separate from the Payment Card Industry Data Security Standard (PCI-DSS). McAfee SECURE requires daily auditing and certification, whereas PCI DSS requires quarterly scanning by an ASV and SSL doesn t require auditing at all. The appearance of the McAfee SECURE trustmark on a website is not related to the retailer s PCI compliance. McAfee SECURE Comparison Security Risk/Issue Identified Required for Certification McAfee SECURE PCI SSL Certificate McAfee SECURE PCI SSL Certificate SQL Injection Blind SQL Injection SQL Database Error Disclosure Local File and Remote File Includes Directory Traversals Improper Error Handling Application Source Code Disclosure Authentication Bypass Insufficient Session Expiration Command Injection SSI Injection Malicious CGI scripts Buffer Overflows Client Side Vulnerabilities Directory Indexing Server Misconfigurations SSL Encryption Malicious Downloads Malicious Affiliations (Links) Phishing Scams Browser Exploits Misuse of personal information Annoyances (excessive Pop-ups) Scams (Business Practices) Scan Frequency Daily Quarterly N/A Daily Quarterly N/A

Key Points McAfee SECURE Service Comprehensive web security service Aggregate of industry best practices Daily vulnerability assessment Review of web application content Complying with the standard allows merchants to publicly display their security status with McAfee SECURE trustmark. Evaluating Website s Security Status When evaluating a website s security, the McAfee SECURE standard considers both the results of a daily vulnerability assessment as well as a review of the web application s content. When reviewing the website s content McAfee looks for malicious downloads (adware, spyware, viruses, trojans), malicious affiliations (links), phishing scams, browser exploits, misuse of personal information (spam), annoyances (excessive pop-ups), and other online scams (business practices). When a security issue/risk is found that violates the McAfee SECURE standard, customers using the trustmark must remediate based on the requirements below. Additionally, McAfee may also elect to incorporate any credible information obtained from other outside resources. This information may affect the merchant s ability to display the McAfee SECURE trustmark. McAfee supports ongoing research with Responsible Disclosure and works with the security community to foster a collaborative exchange of information as a way to improve a merchant s security and to protect the consumer. Websites Not In Compliance with McAfee SECURE standard In the event that McAfee discovers a vulnerability that prevents a merchant s website from complying with the McAfee SECURE standard, the merchant will have a 72-hour remediation window. In instances where McAfee believes confidential customer data is at immediate risk, or in those cases where McAfee has evidence of prior compromise, the McAfee SECURE trustmark may be removed before expiration of this 72-hour window. Domains that have suffered a pre or post-sales compromise must meet additional criteria. In order for these domains to maintain compliance with the McAfee SECURE standard, at least one of the following criteria must be met: 1. Customers must undergo a forensic examination by a PCI Security Standards Council approved Qualified Incident Response Assessor and provide the Report of Compliance. A list of qualified CISP Incident Response Assessors is available at: http://usa.visa.com/download/merchants/cisp_qualified_ cisp_incident_response_assessors_list.pdf 2. Customers must relocate their platform to a Visa Validated Payment Application and outsource all credit card transactions: A list of validated payment applications is available at: http://usa.visa.com/ download/merchants/validated_payment_applications.pdf?it=r /merchants/risk_management/cisp_ payment_applications.html Validated%20Payment%20Applications. Customers must host their shopping cart with a Level One certified Application Service Provider on a certified ecommerce application. Usage of Yahoo! Stores, Monster Commerce or another McAfee SECURE trusted provider is acceptable. A list of certified service providers is available at: http://usa.visa. com/download/merchants/cisp_list_of_cisp_compliant_service_providers.pdf

Benefits of Complying with McAfee SECURE standard Vulnerability assessment and the subsequent required remediation are costs that many merchants often choose to avoid. This leaves the consumer unprotected and unaware of the risk to their personal information. The McAfee SECURE service is the de facto method for creating a positive ROI for security. By requiring the merchant to meet a defined level of security and then allowing them to publicly display their achievement in meeting the McAfee SECURE standard, consumers benefit from increased security and awareness. Merchants benefit by the consumer s greater willingness to purchase from sites that display the McAfee SECURE trustmark. McAfee SECURE service is intended to be one part of an overall security solution that includes properly configured firewalls, intrusion detection and protection systems, antivirus, manual code evaluations, penetration testing and ongoing education. The greatest security is derived from defense in depth, where layers of security provide complementary protection. McAfee, Inc. 965 Freedom Circle Santa Clara, CA 9505 888 87 8766 www.mcafee.com McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. 2008 McAfee, Inc. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information