Established in 2005, Breach Security Labs is the research arm of Breach Security, Inc. Breach Security Labs conducts and sponsors global research and open-source projects which focus on emerging trends in web application security. In addition to open-source and research projects, Breach Security Labs provides the security content, including rules, correlations and signatures, for Breach Security’s web application security products including WebDefend™ , ModSecurity Pro™ and ModSecurity™.

Breach Security Labs plays an active role in leading web application security industry organizations such as the Open Web Application Security Project (OWASP) and the Web Application Security Consortium (WASC). Breach Security Labs team members are WASC officers and lead the OWASP chapters in the UK and Israel.

PCI DSS Compliance

What Is the Payment Card Industry Security Standards Council?
The Payment Card Industry (PCI) Security Standards Council is an independent body dedicated to the creation and implementation of electronic payment security standards. Founding members include representatives from American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

What Is the Payment Card Industry Data Security Standard?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements established by the PCI Security Standards Council. The standard is designed to protect sensitive account data such as credit card numbers, customer names, and contact information from being exposed to unauthorized users.

The PCI DSS requires that network security be in place, properly configured, and periodically audited. In addition, there are security provisions specifically targeted at the web applications themselves.

Why Is It Important?
Organizations that wish to accept online payments with credit and debit cards need to comply with these requirements. Fines for non-compliance can be steep, with penalties reaching hundreds of thousands of dollars per card vendor.

Furthermore, implementing the regular, third-party security assessments (Section 6.6) can be very expensive. And, fixing the vulnerabilities they find can significantly impact deadlines and increase the cost of development.

The current version of the PCI DSS (version 1.1, released in September 2006) now allows organizations to choose between the regular security assessments and the deployment of a web application firewall. This revision provides organizations with the opportunity to easily implement a single, one-time solution to secure their applications. On June 30, 2008, deployment of a web application firewall will be required.

How Breach Security's WebDefend Enterprise Helps Organizations Meet the PCI DSS
WebDefend Enterprise is an advanced web application firewall that offers customized, behavior-based security for each protected application. Only WebDefend uses a patented profiling system and multiple, collaborative detection engines to ensure the flow of business-critical traffic while supplying complete protection for applications to keep payment card information safe from targeted attacks. Deployable out-of-line, WebDefend uniquely provides non-intrusive, effective security for multi-application environments.

WebDefend not only helps organizations comply with Section 6.6 of the PCI DSS, but also helps them meet several other requirements of the standard:

Requirement	WebDefend Provides the Solution
Do not use vendor-supplied defaults for system passwords and other security parameters (Requirement 2)	Blocks any attempt to exploit default passwords in any web application middleware component. Provides an extra layer of defense against users who forget to change default passwords.
Protect stored cardholder data (Requirement 3)	Blocks unnecessary information from leaving a protected application through PCI-specific and customizable BreachMarks.
Encrypt transmission of cardholder data across open, public networks (Requirement 4)	Monitors traffic and ensures that strong encryption is used when sensitive information is legitimately transmitted. Offers SSL decryption and traffic inspection to detect attacks hidden in SSL traffic.
Develop and maintain secure systems and applications (Requirement 6)	Provides the best attack detection in the market. Acts as a "virtual patch" for web application vulnerabilities, including those covered in sub-sections 6.5.1 through 6.5.10.
Track and monitor all access to network resources and cardholder data (Requirement 10)	Monitors and maintains an audit log of all access to credit card information. Includes PCI-specific reports to detail prevented attacks and detected application security defects relating to the PCI DSS: PCI Compliance Report: Details WebDefend findings by requirement to provide an immediate picture of the system's level of compliance. Credit Card Usage Audit Report: Lists every use of a credit card number by a user. As required by the standard, the actual card details are masked in the report. Sensitive Information Report: Details every page in a web application where sensitive information is presented to the user. This reports helps ensure that the application doe not violate the PCI DSS by displaying more credit card information to the user.
Regularly test security systems and processes (Requirement 11)	Monitors both sides of an application’s communication and passively assesses the application for defects to complement scanning efforts performed during quality assurance testing. Detects weak cryptography, poor session management, and other design insecurities that scanners cannot.
Maintain a policy that addresses information security (Requirement 12)	Includes a PCI Standard policy with pre-configured events and responsive actions to ensure protected applications are in compliance with the PCI DSS. Automatically adapts its protection to secure new versions of the application when they are released.