Thales eSecurity News Release

Data Security Leader, Vormetric Inc. and TruComply Announce Free PCI Information Service to Reflect Updated PCI 1.1

PCI 1.1 Was Just Announced in Sept 2006 by the Newly Created PCI Co. It Reflects the Updated Rules and Regulations for What Is Needed to Comply With the Payment Card Industry Data Security Standards (PCI DSS), Especially the Sections Regarding Data Protection and Encryption

SANTA CLARA, CA - September 25, 2006 -- Vormetric, a leading provider of security solutions for protecting sensitive data from unauthorized access, today announced that it updated its free PCI information Service with TruComply, a security consulting company specializing in PCI Compliance initiatives to reflect the recently updated PCI 1.1 that was announced earlier in September 2006. Vormetric's and TruComply's free service includes a combination of quarterly newsletters, blogs by leading PCI experts, and PCIrelated news and updates. To register for the FREE NEWSLETTER, go tohttps://client.trucomply.com/AccountManagement/tabid/60/Default.aspx?AffiliateId=3.

The PCI DSS (Payment Card Industry Data Security Standard) is a compliance initiative agreed upon by the payment card industry (Visa USA, MasterCard International, Amex and Discover) that imposes over 200 security requirements on merchants, service providers, and banks that handle payment card information. The standard also requires on-site audits, self-administered audits, and network scanning by merchants and service providers based on the volume of transactions each facilitates. In addition to the PCI 1.1, the official company PCI Co was created.

TruComply is comprised of PCI DSS and Visa CISP veterans such as John Shaughnessy, who created and managed the Visa CISP program and PCI standards as Visa's Senior Vice President, Risk Management and Fraud Control; Chris Noell, a former payments security practice leader for a leading assessor; Mike Dahn, who has contributed towards methodology and standards for Visa CISP/PCI, Payment Application Best Practices (PABP), and helped develop the Discover Information Security and Compliance (DISC) program; and D.J. Vogel, who has managed scanning and forensics practices for leading assessors.

"In our experience, one of the most difficult challenges merchants face is getting accurate information about their PCI compliance requirements," said Chris Noell President, TruComply. "This was true before and is even more true now that a new PCI standard has been released. In most cases, including the much discussed encryption requirement, PCI 1.1 does not significantly change compliance requirements. Instead, PCI 1.1 mainly clarifies previous requirements. We believe one of the benefits of our information service in general and our PCI 1.1: Implications for Your Compliance Program paper is that we help clients focus on the real issues and avoid erroneous generalizations such as 'the encryption requirement has been watered down.'"

Regarding the PCI 1.1 TruComply, most security vendors focus on helping organizations comply with the mandatory validation requirements associated with PCI (e.g. on-site audit, quarterly perimeter scanning). However, the more fundamental challenge that organizations have is identifying how they 'process, transmit, and store' cardholder data, determining whether this is done in a secure and compliant fashion, documenting their security controls, and if out-of-compliance, determining whether effective compensating controls are in place or can be implemented. Organizations must ensure that they maintain control effectiveness throughout the year, since even a brief lapse can result in a compromise and potential liability under PCI as well as state and federal law.

"There was a lot of speculation in the Industry about the updated PCI 1.1 rules and what they mean," said Dr. Heather Mark, Vormetric's Director of Industry Marketing. "By working with experts like TruComply, their experience and influence can help decipher the PCI requirements, and how to best take action to comply. The joint service is very valuable."

To sign up for the FREE PCI Information Service, go to:https://client.trucomply.com/AccountManagement/tabid/60/Default.aspx?AffiliateId=3 or contact Dr. Heather Mark at pci@vormetric.com.

About Vormetric

Vormetric is the leader in data security management and enforcement solutions. Vormetric Data Security provides a centrally managed, high performance, easy-toimplement, distributed solution that solves the pressing compliance, security and risk management challenges facing today’s enterprises and government agencies. Vormetric’s application- and database-transparent solution outperforms other offerings to provide stronger and broader data security at a fraction of the management and implementation cost.

Vormetric’s more than 230 customers represent the world’s most trusted brands in financial services, retail, manufacturing, healthcare, media, energy and telecom industries as well as highly security conscious government agencies.

Vormetric technology has received strong market validation for its innovative approach to data security, including:

  • Selection by IBM as the core database encryption solution for DB2 and Informix on LinuxTM, Unix® and Windows
  • Computerworld Technology Innovation Award
  • Selection by Symantec to provide the Symantec Veritas NetBackupTM Media Server Encryption Option
  • Partnership with Oracle to secure the execution environment for Oracle® Database Vault
  • Five patents issued and nine patents pending

Vormetric is a trademark of Vormetric, Inc. All other names mentioned are trademarks, registered trademarks or service marks of their respective owners.