ModSecurity_Aegenis Product Eval_0408_Final

An Evaluation of Breach Security ModSecurity™ M1100

Web Application Firewall

Relative to the Payment Card Industry

By Chris Mark, CISSP, CIPP6410 N Business Park Loop RdSuite EPark City, UT 84098

2

........................................................................................................................................................Executive Summary 3...........................................................................................................................................Data Compromise Overview 4

.....................................................................................................................Financial Liability of Data Compromise 5..........................................................................................................................................................PCI DSS Overview 5

..........................................................................................................................Requirement 6.6 - Origins and Intent 6..........................................................................................................................................Compliance Requirements 6

.............................................................................................................................Current State of Industry Compliance 7...........................................................................................Considerations for Small- to Medium-Level Organizations 7

.........................................................................................................................Evaluation of ModSecurity Pro M1100: 8.................................................................................................................................Ease of Implementation and Use 8

..........................................................................................................................................................Product Features 9..............................................................................Support of Considerations for Small to Medium Organizations: 10

...................................................................................................................................................Summary of Findings: 12..................................................................................................................Appendix A: Boa Factory Screen Captures 13

.....................................................................................................Appendix B: ModSecurity Pro M1100 Screenshots 14

3

Executive Summary

In January of 2008, Breach Security engaged The Aegenis Group, Inc. to conduct a functional evaluation of the ModSecurity Pro M1100 application layer firewall appliance. The intent of the engagement was to evaluate the applicability of the ModSecurity appliance within the Payment Card Industry (PCI). The Aegenis Group completed this evaluation in March of 2008. This summary and the attached details express the results of that evaluation.

The Aegenis Group is uniquely qualified to perform this application assessment based on its deep experience in the payments industry and involvement with the PCI Data Security Standard (DSS). The company’s founders have worked for both Visa Inc. and MasterCard Worldwide where they participated in the training and continued update of the PCI DSS standard. The Aegenis Group members were involved in the development of the original Cardholder Information Security Program (CISP), the precursor to the PCI DSS, and the Payment Application Best Practices (PABP). The team members are former Qualified Security Assessors (QSA) and now train Fortune 500 companies on proper implementation of the standard. In 2007, they trained over 7,000 individuals representing over 500 global companies on the PCI DSS standard.

This document discusses the occurrence and causes of data compromises in the Payment Card Industry. Understanding the genesis of the application security requirements of the PCI DSS provides a firm foundation for determining the applicability and effectiveness of the WebDefend application layer firewall. In addition to discussing the impact of the ModSecurity Pro product on PCI DSS compliance, a brief discussion of the ways in which WebDefend can help companies meet non-security related business objectives will also be included.

4

Data Compromise Overview

The Payment Card Industry is comprised of numerous organizations that support transaction acceptance and processing. The data collected by these organizations is highly valued by criminal organizations and as such merchants, processors and other entities are frequent targets of criminal activity. While the documented attacks between 1999 and 2004 primarily focused upon vulnerabilities of network technology and systems, the trend has changed dramatically within the past three years. The majority of recent recorded data compromises occurring within the Payment Card Industry are due, at least in part, to attacks against vulnerabilities in web applications. Analysis of hundreds of data compromise cases on file with the major card brands through 2007 indicated that over 65% of data compromises on record were the result of attacks against vulnerabilities in the application layer. As merchants continue to strengthen their network layer defenses, the criminals are simply shifting their focus to the application layer.

Today, companies that accept payment cards are facing a new group of criminals that are specifically dedicated to obtaining cardholder data. The 2007-2008 black market value of an account number from a payment card is estimated to be between $4 and $6 in New York City. Full Magnetic Stripe Data obtained from a payment card fetches a black market value of between $25 and $35, depending upon the credit limit and type of card. The rising black market value of cardholder data has created a cottage industry of criminals that focus on buying, selling and trading cardholder information. Organized crime syndicates from Eastern Europe and Asia are particularly effective at obtaining cardholder data from merchants and service providers. Organizations such as BOA Factory, ShadowCrew, and the International Carders’ Alliance demonstrate that the criminals are becoming more sophisticated, and focused on the theft of Cardholder Data. A screen capture of the Boa Factory website can be seen in Appendix A.

The impact of application layer attacks on the Payment Card Industry has been profound. It was the recognition of the vulnerabilities within web applications that was the impetus for the creation of PCI DSS Section 6.6 which requires companies to protect against application layer attacks. The Federal Trade Commission’s (FTC) website shows a number of prominent companies that have had enforcement actions initiated by the FTC because of vulnerabilities to SQL Injection and other web application exploits.

The aforementioned analysis of recorded data compromises has shown one common element that was the root cause of the data breach. This one characteristic can be defined as the ‘human element.’ Companies that were the victims of data compromise either did not install, misconfigured, or mismanaged the technology that would have prevented the compromise. Solely relying upon people to evaluate complex web applications and security issues exposes companies to significant risk.

Contrary to what many believe, the majority of data compromises within the Payment Card Industry are not detected by the company that experienced the breach. Unfortunately, most retail compromises are detected through a process called Common Point of Purchase (CPP) analysis. A CPP analysis is simply an analysis of the usage patterns of payment cards that have been involved in fraudulent activity. If a large enough population of fraudulently used cards can be evaluated and a large percentage of those cards were used at a specific merchant within a given time period, statistical models can be employed to demonstrate that the probability of the cardholders all using their cards at the same merchant are extremely low. This Common Point of Purchase then is identified as the point of compromise.

5

Financial Liability of Data Compromise

All of the major payment card brands have fines, fees, and other penalties associated with both non-compliance with the PCI DSS as well as exposure of cardholder data. Some of the categories of fines are well publicized and some are not. The major card brands do not directly fine the merchants—rather they fine the acquirer which then will likely pass on the fine to the merchant.

Both Visa and MasterCard have heavy fines associated with non-compliance with the PCI DSS. MasterCard can fine up to $100,000 per instance of non-compliance, for a total aggregate of $500,000 per year. Visa, on the other hand takes a different approach. As stated in their January, 2008 press release1:

“Visa recently began levying monthly fines of $25,000 to U.S. merchant banks (or acquirers) for each of their large merchants that did not validate PCI DSS compliance by the deadline. As of January 2008, Visa is levying monthly fines of $5,000 to U.S. acquirers for non-compliant middle-sized merchants.”

While non-compliance fines may appear severe, they are a fraction of the total amount of liability associated with a data compromise. Both Visa and MasterCard have programs designed to allow payment card issuers to recoup expenses associated with the fraudulent use of cards as well as the expenses associated with monitoring and re-issuance of cards.

Visa’s program for issuer reimbursement is called the Account Data Compromise Recovery or ADCR. This program requires the acquiring bank to reimburse for the estimated fraudulent activity on cards. ADCR is applied when a company exposes more than 10,000 accounts of full magnetic stripe data. The ADCR fees are markedly higher than standard fines for non-compliance or the loss of just account numbers.

MasterCard Worldwide’s program is called the Issuer Reimbursement program. MasterCard’s approach is similar in that the threshold is 10,000 accounts of magnetic stripe data but different in that MasterCard does not require acquirers to reimburse estimated fraud. MasterCard will require that acquirers pay up to $5 per card for monitoring and up to $25 per card for re-issuance of exposed cards. This is in addition to the fines levied for non-compliance with the PCI DSS.

PCI DSS Overview

In 2006, the major card brands, Visa, MasterCard Worldwide, American Express, Discover Financial Services, and JCB, collectively created an industry consortium known as the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is responsible for the management, enhancement and development of a common industry data security standard, entitled the Payment Card Industry Data Security Standard (PCI DSS). This single standard is intended to ease the process of compliance by minimizing the number of programs with which companies have to comply and serve to provide a single voice on the issue of compliance. As stated on their website the, PCI SSC is charged with “the ongoing

1 Visa, Inc. (January 22, 2008) Press Release: “PCI Compliance Continued to Grow in 2007” www.visa.com/cisp

6

development, enhancement, storage, dissemination and implementation of security standards for account data protection.” The primary role of the PCI SSC is the management of the PCI DSS.

The PCI DSS applies to any organization that stores, transmits or processes Cardholder Data. Cardholder Data, as defined by the PCI SSC, consists of the Primary Account Number (PAN) alone, and also includes the Cardholder Name, Service Code, and Expiration Date when any of these elements are stored in conjunction with the PAN. Compliance with the PCI DSS is mandatory and can be challenging to achieve.

The PCI DSS contains twelve requirements, each of which have a number of sub-requirements detailing the ways in which the general requirements should be met. Inclusion of these sub-requirements means that there are over 200 requirements with which each company must comply. For those companies seeking to become compliant for the first time, retro-fitting network architecture, systems, and applications to bring them into compliance or segmenting networks to limit the scope of assessments can bring with it significant costs. As compliance is required at all times, the costs in question are not only those associated with bringing an organization into initial compliance but also include the additional expense of maintaining compliance. Keeping in mind that compliance is a full-time process to be managed, the potential impact in terms of resources can be significant.

In addition to the potential cost of compliance, there are a number of issues which may impact the level of complexity involved in becoming and remaining compliant. Any change to the network, applications, or systems which contain cardholder data, or are connected to systems that do, must be evaluated for their impact on the security of cardholder data.

Requirement 6.6 - Origins and Intent

PCI DSS Requirement 6.6 states: “Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

1.Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security

2.Installing an application layer firewall in front of web-facing applications.”

The objective of PCI DSS Requirement 6.6 is to protect web-facing applications from common application layer attacks.

Compliance RequirementsCompliance with the PCI DSS is required of any organization that stores, transmits, or processes Cardholder Data. Challenges with PCI DSS scoping and compliance are often introduced through third-party applications and solutions that support the Cardholder Data Environment. Visa has recently begun to require that all merchants develop processes and controls to address payment application security within their respective environments. The PCI SSC will also be adopting the payment application security standard in 2008.

7

Current State of Industry Compliance

In December, 2007 Visa released the following statement:

“...as of the end of 2007, more than three-fourths of the largest U.S. merchants¹ and nearly two-thirds of medium-sized merchants² have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa's U.S. transaction volume.”

It should be noted that according to Visa, 77% of Level 1 Merchants and 62% of Level 2 Merchants are compliant with the current PCI DSS Standard. Requirement 6.6 of the PCI DSS, addresses application controls as a best practice until June of 2008, at which time it will become a requirement. It is estimated that the vast majority of merchants do not currently have sufficient application layer controls to support compliance with Requirement 6.6.

It is a fact that many companies remain confused about how to achieve compliance with the PCI DSS and specifically the need for and value of application layer controls. Application security is a complex discussion that requires specialized expertise not often found within many merchants or service providers. There exists confusion propagated by some Approved Scanning Vendors (ASV) within the industry that network layer scanning, as required by the PCI DSS, is sufficient to both identify application layer vulnerabilities and achieve compliance with the application requirements of the PCI DSS. It should be noted that while network layer scanning is an important component of a comprehensive information security strategy, it does not meet the requirements for application layer security outlined in Requirements 6.5 and 6.6 of the PCI DSS. Additionally, the network layer scanning required by the PCI DSS does not accurately detect application layer vulnerabilities such as SQL Injection or Cross Site Scripting. The unfortunate result is that many well-intentioned companies are exposed to serious risk of data breach because they rely upon network layer scanning to identify application layer vulnerabilities.

A Visa Alert originally published in 2006 and republished in June 2007 and January 20082 demonstrates the challenges faced by merchants, banks, and service providers today. The alert reads, in part:

“A review of recent data security breaches suggests Structured Query Language (SQL) injection attacks on e-commerce Web sites and Web-based applications that manage card accounts (e.g., PIN updates, monetary additions, account holder updates) have become more prevalent.”

Considerations for Small- to Medium-Level Organizations

Companies that accept or process payment card transactions have some unique challenges that must be considered.

1. Low Total Cost of Ownership: PCI DSS compliance is required of all companies that store, transmit, or process Cardholder Data. This frequently results in smaller organizations facing enormous compliance costs. Identifying solutions that are cost effective, have a low total cost of ownership and enable compliance is paramount for companies within the payments industry.

2 Visa Inc. (January 25, 2008) Visa Data Security Alert: “Potential Network Vulnerabilities” www.visa.com/cisp

8

2. Ease of Use and Flexibilty: Small to Medium sized organizations within the payments industry have a demonstrated need for solutions that are easy to implement and use, and provide the necessary flexibility to meet the changing needs of growing organizations.

3. Resource Availability: Unlike information-only websites, merchants, processors, and gateways use the Internet to transmit and process extremely sensitive information. Merchants and other companies in the Payment Card Industry have a demonstrated need for near 100% availability of processing resources.

4. Compliance with the PCI DSS: Organizations within the Payments Card Industry are required to comply with the PCI DSS. To ensure compliance any device or system that is used to support the Cardholder Data Environment must also comply with the relevant standards. Examples include ensuring that the system supports complex passwords, and generates appropriate logs.

Evaluation of ModSecurity Pro M1100:

The Aegenis Group, Inc. (Aegenis) installed and evaluated the ModSecurity Pro M1100 appliance in its own environment to evaluate the features and functions of the device relative to the needs of the payments industry. Aegenis focused the testing on analyzing the following aspects of this appliance:

1.Ease of installation and Use. This was evaluated relative to The Aegenis Group’s understanding of the skill level within the Payment Card Industry.

2.Product Features: This was evaluated within the context of how data is commonly compromised and the needs of the companies within the industry.

3.Support of Identified Considerations: This was evaluated within the context of the specific challenges faced by small to medium-sized companies within the Payment Card Industry.

The ModSecurity Pro M1100 is an application layer firewall that fully supports compliance with PCI DSS Requirement 6.6, and partially supports compliance with PCI DSS Requirement 6.5 as well as numerous other sub-requirements. The ModSecurity Pro M1100 appliance is a hardened, Linux-based appliance based upon the popular open-source application layer firewall ModSecurity. With over 15,000 implementations, ModSecurity has been rigorously tested in the real-world. The ModSecurity Pro M1100 is appropriate for small to medium sized companies that require a hardened, tested application layer firewall appliance that can be employed ‘out of the box’, is cost effective, and provides the necessary flexibility for growing organizations. It operates in a transparent application proxy network deployment mode and employs both negative and positive security models to block malicious HTTP requests. The negative security model utilizes “generic attack detection” rules-based logic which focuses on attack indicators instead of specific attack vectors, whereas, the positive security model enforces compliance to HTTP standards and web server platforms and application language components.

Ease of Implementation and Use

The Aegenis Group installed and configured the ModSecurity Pro M1100 appliance in less than a day. It offers two modes of operation for protection of Internet and intranet applications. In Transparent Bridge mode the ModSecurity Pro M1100 is configured in-line with the Internet accessible web applications and can monitor for rules-based known attack patterns. In Reverse Proxy mode, access to the web servers must be directed through the appliances for it to monitor application traffic. One of the more compelling

9

characteristics of the ModSecurity Pro M1100 that it shares with its larger sibling, WebDefend, is the ability to install without reconfiguring the network.

Installing the ModSecurity Pro M1100, while not as ‘plug and play’ as its more robust sibling the WebDefend, was not overly difficult and should not prove too difficult for standard network engineers or firewall administrators. The most difficult part of the initial set-up involved making basic configurations to an easy-to-navigate command line interface. This must be done before an administrator can manage the appliance through the web management console. Once the network settings were defined, the appliance is easily managed via the web management console. No additional applications or clients were required to remotely manage the appliance, as all features and controls are directly accessible through the web management console. The web management console is accessed through a dedicated management network interface card on the appliance. This ensures that a hacker cannot compromise the appliance through the ports used to monitor and block traffic.

The web management console is intuitive and easy to understand. One of the more appealing features for organizations with deep technical expertise is the ModSecurity Pro M1100’s extreme flexibility. It enables nearly unlimited custom configuration of the filtering, or for simple install one can pick the pre-configured PCI Compliance policy. It also offers advanced auditing and search capabilities for identifying and trending attacks. For a simple review of audit events it offers automated and manual report generation that can be archived or received as an email notification.

Version 1.6 of the Mod Securtiy Pro M1100 offers significant advantages for organizations pursuing PCI DSS compliance. It provides enhanced alert management functions and pre-defined PCI specific reporting to enable organizations to quickly demonstrate compliance.

One of the more compelling features of the product is the ability to corrolate events and allow adminstrators to sort alerts by criterity including severity of alert, site name, source IP, and event category (ie. SQL Injection or Cross Site Scripting). This capability dramatically minimizes the likelihood that human error will result in a misconfiguration or misinterpretation of an alert. For small to medium sized organizations that may not posess in house application security, this functionality is invaluable. Screenshots can be seen in Appendix B.

Product Features

The ModSecurity Pro M1100 product offers a number of advanced features, but they vary in the degree to which they offer application protection. The following is a list of features that support the specific needs of companies within the Payment Card Industry.

1. Information Leakage Protection: Through a pre-defined set of rules, the ModSecurity Pro M1100 can address vulnerabilities to known exploits within web applications that are frequently the cause of data leakage within organizations. Preventing data leakage is critical for companies that store, process, or transmit cardholder data as exposure has significant financial implications.

2. Anti-Virus Protection: ModSecurity Pro M1100 provides file-upload anti-virus protection with an API that can work with any command line anti-virus product. This provides additional, complementary support for PCI DSS Requirement 5.1 which requires anti-virus be installed on all systems commonly affected by viruses.

10

3. PreDefined Rules: The ModSecurty M1100, while flexible, provides pre-defined rules for organizations without advanced technical skills to employ. These predefined packages include information leakage protection, automated detection of malicious activity, PCI DSS compliance, Open Web Application Security Project's Top 10 vulnerabilities, platform-specific protection for Apache, IIS, PHP, ASP, ASP .NET and others, and anti-virus protection for file uploads with Clam AV.

4. SSL Inspection: Commonly, attackers will attempt exploits through port 443 (SSL connections) in an attempt to circumvent network IDS/IPS. The ModSecurity Pro M1100 can inspect packets within the SSL traffic and detect and block attacks. This is particularly useful for organizations within the payments industry as SSL is required for web-based eCommerce transactions.

5. Alert Management and PCI Specific Reporting: Effectively configuring and managing application layer firewalls can be a challenging process for all but the most technically adept organizations. The ModSecurity Pro M1100 provides enhanced management features to enable organizations to quickly sort and prioritize alerts based upon severity of alert. Additionally, the appliance provide pre-defined PCI specific reports to enable organizations to quickly demonstrate compliance with the relevant sections of the PCI DSS and card brand rules.

Support of Considerations for Small to Medium Organizations:

1. Low Total Cost of Ownership: The ModSecurity Pro M1100 is a reasonably priced appliance that should not be cost prohibitive for small- to medium-sized organizations within the payments space. Additionally, because a single ModSecurity Pro M1100 is designed to support multiple webservers it removes the need to employ additional appliances for organizations with multiple websites.

2. Ease of Use and Flexibility: The ModSecurity Pro M1100 is relatively easy to install and operates ‘out- of-the-box’ with pre-defined rules to immediately support application security and compliance with PCI DS Requirement 6.6. Additionally, it provides and intuitive alert management interface that enables the quick and accurate prioritization of alerts and PCI-specific reporting templates. Finally, the ModSecurity Pro M1100 also provides more technically adept users with an extremely flexible platform to support advanced rules generation through regular expressions.

3. Availability of Resources: While operating inline, the ModSecurity Pro M1100 provides availability of resources during a network or hardware failure by employing an integrated bypass card. This ensures that critical traffic will continue to flow, though unprotected by the appliance

4. Compliance with the PCI DSS: Review and analysis of the ModSecurity Pro M1100 features and functionality demonstrates that it fully or partially supports a number of PCI DSS requirements. The following are a summary of the PCI DSS requirements that can be addressed in whole, or in part by implementation of these products.

11

PCI DSS Requirement Fully Support

Partially Support

Comment

5.1 Install Anti-Virus software on systems commonly affected by Viruses.

X ModSecurity Pro M1100 provides support for file upload anti-virus detection through integration with ClamAV. This complements existing AV controsl.

6.5 Develop all web applications based on secure coding guidelines such as the OWASP guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include the following:

X ModSecurity Pro M1100 protects applications against the OWASP Top 10 vulnerabilities. This complements the SDLC.

6.5.1 Unvalidated Input X ModSecurity Pro M1100 satisfies this requirement

6.5.2 Broken Access Controls X ModSecurity Pro M1100 satisfies this requirement

6.5.3 Broken authentication and session management

X ModSecurity Pro M1100 satisfies this requirement

6.5.4 Cross Site Scripting X ModSecurity Pro M1100 satisfies this requirement

6.5.5 Buffer Overflows X ModSecurity Pro M1100 satisfies this requirement

6.5.6 Injection flaws X ModSecurity Pro M1100 satisfies this requirement

6.5.7 Improper Error Handling X ModSecurity Pro M1100 satisfies this requirement

6.5.8 Insecure Storage X ModSecurity Pro M1100 satisfies this requirement

6.5.10 Insecure Configuration Management

X ModSecurity Pro M1100 satisfies this requirement

6.6 Ensure that all Web Facing Applications are protected against known attacks by applying either of the following methods:- Having all application code reviewed for common vulnerabilities by an organization that specializes in application security

X ModSecurity Pro M1100 protects against common vulnerabilities through pre-defined rules.

-Installing an application layer firewall in front of web-facing applications

X ModSecurity Pro M1100 protects against common vulnerabilities through pre-defined rules.

10.2 Implement Automated Audit Trails for all system components.10.2.1 All individual user access to cardholder data

X ModSecurity Pro M1100 provides detailed auditing capabilities in support of 10.2.1.

12

10.2.4 Invalid logical access attempts X ModSecurity Pro M1100 provides detailed auditing capabilities in support of 10.2.1.

11.4 Use network intrusion detection systems, host based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert suspicious personnel to suspected compromises.

X ModSecurity Pro M1100 can identify and block application layer attacks and alert on such attacks. This complements the IDS/IPS controls.

Summary of Findings:

The importance of application security is compounded with each news story detailing a data compromise. The FTC and the PCI SSC have made a crusade of addressing the vulnerabilities in applications that collect and store personal information. The Payment Card Industry in particular, has had significant challenges in meeting the consumers’ demand for both timely and secure payment transactions. The fine line required to meet the customers’ growing expectations and the increasing involvement of government can be a difficult one to balance. Fortunately, Breach Security’s ModSecurity Pro M1100 helps companies in the Payment Card Industry answer the call of both masters: industry and government regulation and customer expectation.

Breach Security’s ModSecurity Pro M1100 application layer firewall allows companies to address application vulnerabilities in a manner that supports and enables PCI DSS compliance and the business objectives of the organization. As has been discussed, the security of applications has been thrust into the spotlight by a series of high-profile data compromises. The ModSecurity Pro M1100 appliance provides a robust application layer protection, extreme flexibility, out-of-the box security, and support full or partial for compliance with 16 PCI DSS requirements and sub-requirements, with a low total cost of ownership.

Many companies may choose to implement this appliance when they need immediate application firewall protection and to address areas of compliance related to the PCI DSS. It is important that companies understand the methods used to prevent application attacks and achieve compliance, while satisfying all business and technical needs of the organization.

13

Appendix A: Boa Factory Screen Captures

14

Appendix B: ModSecurity Pro M1100 Screenshots

15

About the Aegenis Group, Inc.

The Aegenis Group is the recognized leader in data security, and regulatory training & consulting within the Payments industry. To date, the Aegenis Group has more experience training on the PCI DSS than any company in the world. The following represents some of The Aegenis Group’s PCI DSS Expertise:

• Founders worked at both Visa USA, and MasterCard Worldwide on their respective security programs.

• Founders were members of the PCI SSC Technical Working Group responsible for updating the PCI DSS Standard 1.1.

• Founders were involved in original development of the CISP/PCI DSS Standard.• Founders were involved in development of the PABP/PA-DSS Standard.• Conducted the industry’s first CISP Assessment in 2002.• Former QSA Owners that have conducted over 200 PCI Assessments for some of the largest, most

complex merchants, banks, and service providers in the world.• Contracted with PCI SSC as worldwide trainer of Qualified Security Assessors.• Trained over 1,700 QSAs since January, 2007.• Contracted with major Payment Card Brand to train all major acquirers and merchants.• Trained over 8,000 people from 500 different organizations since January, 2007.• Trained Numerous Fortune 500 companies in PCI DSS and risk management.• Trained Big 4 consulting firms in PCI DSS.• Invited speakers at over 12 different PCI and security related events in 2007.• Written scores of articles on the PCI DSS, and security within the payments’ industry.

Corporate Headquarters: 6410 N Business Park Loop, Suite E Park City, UT [email protected]© 2008 The Aegenis Group, Inc. All rights reserved Worldwide.

The information contained in this document represents the current view of The Aegenis Group, Inc. on the issues discussed herein as of the date of publication. It should not be interpreted as a commitment on the part of The Aegenis Group, Inc and The Aegenis Group, Inc cannot guarantee the accuracy of the information presented after the date of publication. Specifications and content are subject to change without notice. This document is for informational purposes only. THE AEGENIS GROUP, INC MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

The Aegenis Group is a trademark of The Aegenis Group, Inc. Other product or company names mentioned herein may be the trademarks of their respective owners.