Qualys Introduces MasterCard Site Data Protection Compliance Solution

Redwood City, CA — April 18, 2005 — Qualys, Inc. today announced it has successfully completed the MasterCard Site Data Protection (SDP) compliance testing process and extended its QualysGuard on demand vulnerability management platform to include automated, self-service SDP compliance testing and reports. As an SDP compliant scanning vendor, Qualys is certified to help online merchants and their consultants evaluate the security of Web sites that store MasterCard account data, and achieve compliance with the Payment Card Industry (PCI) Data Security Standard.

Beginning June 30, 2005, MasterCard will require online merchants processing over $125,000 in monthly MasterCard gross volume to perform an annual self-assessment and quarterly network scan.

“The payment card industry’s security requirements (PCI, SDP, Visa CISP) apply to all merchants with an Internet facing IP, not just those doing e-commerce, so the magnitude of retailers this program affects is significant,” said Avivah Litan, vice president and research director at Gartner.

Qualys has achieved compliance status by proving their ability to detect, identify and report vulnerabilities common to flawed web site architectures and configurations. These vulnerabilities, if not patched in actual merchant Web sites, could potentially lead to an unauthorized intrusion. By proactively identifying and providing the opportunity to remedy such vulnerabilities, SDP-compliant products offer a means for reducing risk of intrusion and data compromise.

“The payment card industry’s security standards are converging, which will simplify the compliance process, but achieving compliance with these standards can still be very costly for both merchants and acquiring banks. The more the process can be streamlined and automated, the easier it will be for everyone,” said Litan.

Jim Aviles, manager of product and technology at Merchant E-Solutions, said, “The new credit card compliance functionality in QualysGuard makes PCI compliance as easy as pushing a button. This level of accuracy and automation helps us save significant time and costs in demonstrating compliance with PCI. It also helps us ensure the integrity of our credit card processing infrastructure that is used by more than 150,000 merchants.”

The QualysGuard vulnerability management solution now includes a pre-defined scan profile that enables merchants and their consultants to scan payment systems according to MasterCard’s requirements. QualysGuard provides merchants and consultants with a blueprint for correcting found vulnerabilities. In order to achieve compliance, the merchant must correct all medium to severe security risks found by QualysGuard. Once merchants have fixed the vulnerabilities, QualysGuard auto-generates an SDP compliance report that can be submitted directly to the acquiring bank.

“The Site Data Vendor Compliance Program reflects our ongoing commitment to helping our customers and online merchants evaluate and improve the security of their Web sites in a timely and affordable manner. The end result we are striving for — improved overall channel security — is a win-win for all parties involved,” said Stephen Orfei, senior vice president and head of the MasterCard e-Commerce Center of Excellence.

The Vendor Compliance Program requires a two-step process. The first step is to complete an online application form, which can be found at the SDP Web site. The application provides MasterCard with an overview of the applying organization, along with a detailed assertion by the security vendor that their solution is compliant with or exceeds the requirements set forth in the MasterCard Security Standard. After applying for compliance testing, the second step is for vendors to undergo a rigorous evaluation cycle that spans across a wide range of Web servers, firewalls, and operating systems — an environment controlled and managed by MasterCard.

The SDP Compliance Testing program is an expansion of MasterCard’s Site Data Protection Program™, a comprehensive, proactive and cost-effective set of global e-commerce and financial security services designed to help protect the Web sites of its customer financial institutions, online merchants and other payment processors holding MasterCard account information.

Pricing and Availability
The MasterCard SDP compliance module will be available with QualysGuard 4.0 at the end of April, 2005. See also today’s announcement “Qualys Introduces Policy Compliance to Widely Adopted On Demand Vulnerability Management Platform” at www.qualys.com/company/newsroom/newsreleases/usa/pr.php/
2005-04-18.

Pricing for the MasterCard SDP compliance module is $495 for QualysGuard Express customers and $2,495 for QualysGuard Enterprise customers.

Qualys’ MasterCard SDP compliance reporting is also available through a number of its consulting partners, including: BDO Seidman, Digital Resources Group, Dimension Data, DynTek, Inc., FishNet Security Assessment Services, Fujitsu Transaction Solutions, Inc., Information Exchange, Inc., MasterCard SDP Service/Ubizen, NRM Network Risk Management, One-Sec, Ltd., Protiviti, Inc., and Strategic Profits, Inc.

About MasterCard SDP

The MasterCard Site Data Protection Program is a proactive, cost-effective, global solution offered by MasterCard through its acquiring members. The program provides acquiring members with the ability to deploy security compliance programs, assisting online merchants and Member Service Providers to better protect against hacker intrusions and account data compromises. The program takes a proactive approach to security by identifying common possible vulnerabilities in a merchant web site and makes recommendations for short-and long-term security improvements. The solution addresses the security issues that online merchants and their acquiring banks face in the virtual world, and concerns arising from these issues, such as Internet fraud, chargebacks, brand image damage, consumer information safety and privacy and the cost of replacing stolen account numbers.

About QualysGuard

QualysGuard is an on demand vulnerability management solution that enables organizations to assess and manage business risk. QualysGuard automates the network security auditing process across the enterprise both inside and outside the firewall, and across distributed networking environments. QualysGuard provides network discovery and mapping, asset prioritization, centralized reporting, and remediation workflow and verification. Executive-level reports allow security professionals to demonstrate effective security practices and verify compliance with data protection laws and regulations. QualysGuard’s on demand technology is far more accurate, cost effective, and easier to deploy than software-based alternatives.

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys’ on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey
Qualys
media@qualys.com