Delivering on Network Security and PCI DSS Compliance

This provider of managed e-commerce technology and services needed an automated and accurate way to maintain a high-level of security as well as compliance to the Payment Card Industry Data Security Standard.

E-commerce has certainly changed in the past decade. Back then, most e-commerce sales involved relatively inexpensive items: books, CDs, clothing, and other goods that were easy to sell and ship online. Today, consumers are much more apt to buy complex, big-ticket items online including furniture, automobiles and other well thought-out purchases — an online market segment often referred to as “considered commerce.”

Blueport Commerce is one of the major players in the considered commerce market. Originally founded in 1999 as the Web portal Furniture.com, the company quickly became the furniture industry’s leading e-commerce destination. Building on that success, Blueport Commerce took its decade of experience and developed an e-commerce platform designed for big ticket retailers including furniture, flooring and lighting, to help them deliver increased profits.

While software, services, and specialized knowledge are all crucial aspects of Blueport Commerce’s continued success, another vital element is trust. And when it comes to e-commerce, much of that trust rests on the viability and security of not only Blueport Commerce’s e-commerce platform, but the infrastructure and business-technology systems that ensure it runs smoothly and complies with industry regulations.

Every day, Blueport Commerce processes credit card transactions made on its customers’ sites, so it must comply with the Payment Card Industry Data Security Standard (PCI DSS). Additionally, its retail customers need the assurance that Blueport Commerce’s systems meet the highest security standards. “We have a multitude of payment processing accounts and we integrate with all of them,” says Fotios Magoufis, director of IT operations at Blueport Commerce. “In addition, we assume PCI DSS compliance responsibilities for our clients so it’s one less thing they have to worry about internally.”

“Contending with security and compliance is a by-product of being an e-commerce company, and is an ever-growing concern,” says Morgan Woodruff, chief operating officer at Blueport Commerce. “Compliance and security are must-haves in our market segment, so we have to do our best to meet, and even exceed, rules and regulations.”

To meet those objectives, Blueport Commerce’s IT team sought a way to move from manual vulnerability assessment tools to a network assessment capability that automatically identifies new assets on the network, as well as system vulnerabilities, and analyzes those threats through insightful reporting, and then manages ongoing mitigation efforts. “We had been looking for a tool that could conduct assessments on intervals for quite some time,” explains Magoufis.

Ultimately, Blueport Commerce chose Qualys. Qualys’ on-demand software-as-a-service delivery enables Blueport Commerce and organizations of all sizes to manage vulnerabilities and regulatory compliance more successfully, while cutting associated costs through steramlined operations. "At Blueport Commerce, we always seek the highest qualtiy technology partners, selecting only the best companies in their respective areas of expertise. For vulnerability management, the search was not long: it always cam down to Qualys," says Woodruff.

“We’ve found Qualys to be very simple, which we appreciate,” says Magoufis. “Everything can be managed through the Web, whether from the office, my smartphone, or even my home PC. Wherever I am, I can log in and access and manage my reports and set up assessments. From the start of our evaluation, Qualys was the forerunner of the SaaS model,” he says.

Today, Blueport Commerce relies on Qualys to ensure that its systems integrated with payment systems are fully PCI compliant. The Qualys on-demand platform provides businesses, online merchants and acquirers with the easiest, most cost-effective and highly automated way to validate PCI DSS compliance. As an Approved Scanning Vendor (ASV), Qualys is fully certified to assess PCI DSS compliance. Currently, 60 percent of all PCI DSS ASVs and 49 percent of Qualified Security Assessors utilize Qualys to deliver PCI certification and validation to their clients.

That market leadership, combined with unmatched technical capabilities, were key to Blueport Commerce’s selection of Qualys. Qualys’ vulnerability and security check database is updated continuously, without ever requiring users to conduct software or manual updates. That means Blueport Commerce’s IT team won’t waste time managing the device or chasing false positives. Thus, Magoufis and his team can focus on PCI DSS compliance and the vulnerability management life cycle, including asset discovery, asset prioritization, vulnerability assessment and analysis, remediation and fix verification. “Qualys accurately identifies system vulnerabilities and provides the reporting that shows us very clearly how well we are managing our IT risk and PCI compliance,” says Magoufis.

Blueport Commerce relies on Qualys not only for PCI DSS compliance, but to help streamline risk management throughout its infrastructure. "We scan our entire public IP network every night," explains Magoufis. "Through automated, segmented scans we are constantly assessing the infrastructure," he says. Based on those continuous scans, Magoufis can see that the infrastructure is secure and software is up to date, or he'll be presented with the precise information he needs for rapid remediation - and then validates that those efforts are in place. Magoufis concludes, "We're very pleased with our decision - Qualys has lived up to its reputation for being the best security and compliance product on the market."