P2 Security for PCI Section 6.6

The next security compliance deadline looms at the end of June. It's the Section 6.6 provision within the Payment Card Industry Data Security Standards, lovingly referred to as PCI, which requires application firewall protection for any online retailer that accepts credit cards.

Of course, your friends at Visa, MasterCard &. Co. don't want to force you all to go out and spend good money for security tools. To be Section 6.6 compliant you can also conduct a thorough application source code review, assuming you have access to the code and assuming you have the team and tools to do the job. (Okay, maybe most of you will get the app firewall instead, if you haven't already.)

Ken Schwartzreich, CEO of P2 Security LLC in New York hopes you'll consider his company's maXecurity Web access management appliance to help you get right with Section 6.6. He brags that not only does the appliance inspect IP packets and authenticate users to an app, it has four layers of admin control for separation-of-duty requirements, which will make your auditors happy.

According to Jeff Gresham, chief technology officer, MaXsecurity comes standard with loads of reports, such as one on access violations. He likes the entitlement report, which shows what access rights individuals have and, conversely, who has access to each app. By late this year, P2 will deliver a workflow module that forces admin changes to the appliance be approved by another level administrator.

The device comes in three models: Basic can handle up to 500 active sessions; the Pro model, 5,000; and the enterprise version, 50,000. Prices start at $25,000.