Fortify’s PCI Solution To Help Merchants Pass Compliance Audits in Advance of Dec. 31 Deadline

Leading application security vendor offers a comprehensive solution that addresses Sections 3 and 6 of the PCI Data Security Standard.

PALO ALTO, Calif., October 17, 2007 - Fortify® Software Inc., the market leader in enterprise application security solutions, today announced its Payment Card Industry (PCI) Solution—a bundle of Fortify’s award–winning products and services designed to help retailers meet PCI requirements—provides merchants the means to become compliant with the PCI Data Security Standard (DSS) prior to an upcoming Dec. 31 deadline. Fortify, which has grown its compliance practice by more than 500 percent over the past two years, has a customer list that includes two of the top four online retailers in the United States.

Despite the growth in Fortify’s PCI practice, the majority of retailers, and other businesses that process credit card transactions, have been slow to adopt true application layer defenses. Many Level 1 merchants were not in compliance with the Standard when their recent Sept. 30 deadline passed, and a large percentage of Level 2 merchants will be scrambling over the next few months in an effort to pass audits before their Dec. 31 deadline.

“We’ve been fielding many questions from entities who are trying to achieve PCI compliance; requirement 6, to ‘Develop and maintain secure systems and applications,’ is one area where customers are confused about how to comply,” stated Diana Kelley, a vice president and senior analyst for the Burton Group. “Securing and protecting applications that manage cardholder data is a critical piece of the cardholder data protection puzzle. Tools such as source code analysis and application layer firewalls can help entities control risk of cardholder data loss and also help them meet the Section 6 compliance requirements.”

PCI auditors across the nation have reported that application security is one of the most commonly failed areas of the PCI DSS, and statistics from respected industry analyst firms that supported this claim were part of the reason credit card companies put application security requirements into the DSS and recommended source code analyzers and application firewalls as solutions.

“With a majority of attacks now directed at the application layer, the prospect of so many vendors being non–compliant is frightening,” said Brian Chess, Fortify’s founder and Chief Scientist. “Our customers tell us that Section 6 is one of the top reasons for failing a PCI audit, and they look to us for help in making it over the bar when it comes to code review, high fidelity testing and defect mitigation. But beyond compliance, businesses should keep the end goal in mind: creating systems their customers can trust. Fortify’s PCI Solution meets regulatory requirements and reduces overall security risk.”

Fortify’s PCI solution specifically focuses on the two sections of the DSS that detail application security requirements: Section 6, regarding developing and maintaining secure applications, and Section 3, regarding protecting and storing data. The PCI Solution, which consists of Fortify? SCA, a source code analyzer that eliminates vulnerabilities in an application’s code base; Fortify® Defender, an application–layer firewall; and Fortify’s Professional Services, offers an immediate solution to secure sensitive data now, as well as a long–term strategy to ensure new applications are developed securely. This bundle of award–winning software and services enables retailers to:

• Secure Applications Now — Fortify Defender is a contextual Web–application firewall that protects and monitors Web applications from the inside. This unique approach offers critical insight into attacks and addresses PCI standards for an application–layer firewall. Section 6.6 of the PCI DSS currently recommends as a best practice the use of an application layer firewall or a professional code review. All merchants and service providers that store, process or transmit cardholder data must comply with these standards when it becomes a requirement. Fortify offers the most effective, accurate and easy–to–use solution for fulfilling this PCI standard, as it not only addresses PCI, but also additional key software security compliance requirements, such as FISMA and HIPAA.
• Secure Applications Before They’re Deployed — Fortify SCA is the world’s most proven and widely used source code analyzer. Its advanced features enable security professionals to review more code and prioritize issues in less time, while helping development teams identify and fix issues early and with less effort. Fortify SCA supports a wide variety of languages, frameworks and operating systems, and delivers depth and accuracy in its results. It can be tuned to be comprehensive when completeness is needed or extremely targeted for day–to–day use in development. It makes triage, full–scale audits and remediation fast and effective.

Fortify, which has more application security experience related to PCI compliance than any other vendor in the industry, is leading the effort to help merchants reach the key application security requirements. Fortify’s inclusion in the PCI Security Standards Council and ICSA Labs Web Application Firewall Consortium is a reflection of its deep involvement with the PCI DSS. In addition, Fortify is participating in the following two events this week:

• Compliance 2.0: Next steps for Security Leadership
  • Tuesday, Oct. 16, Hyatt Regency Phoenix
• The CSO Executive Seminar on PCI Compliance
  • TODAY! Wednesday, Oct. 17, Intercontinental Hotel Chicago, 8 a.m. — 4 p.m.

The company’s experience in helping end users become PCI compliant on the application security front includes:

• Two of the top four online retailers in the U.S.
• Two of the top three credit card brands
• The top acquiring banks throughout the world
• Organizations spanning all four PCI levels
• Companies in healthcare, retail, telecomm, finance, government, media, insurance and more

Parties interested in finding out more about Fortify’s PCI Solution can do so online at: http://www.fortifysoftware.com/security-resources/pci_fisma.jsp.

About Fortify Software, Inc.

Fortify® Software products protect companies from the threats posed by security flaws in business–critical software applications. Its software security products—Fortify SCA, Fortify Manager, Fortify Tracer and Fortify Defender—drive down costs and security risks by automating key processes of developing and deploying secure applications. Fortify Software’s customers include government agencies and FORTUNE 500 companies in a wide variety of industries, such as financial services, healthcare, e–commerce, telecommunications, publishing, insurance, systems integration and information management. The company is backed by world–class teams of software security experts and partners. More information is available at www.fortify.com.

Press Contacts

Lisa Eskey, Sterling Communications, 1-408-884-5157, leskey@sterlingpr.com