Whitelisting pushing out antivirus at some security-minded retailers

By , Network World |  Security, antivirus, whitelisting

The influential Payment Card Industry (PCI) rules call for use of antivirus software to protect debit and credit cards, but some retailers have found a substitute that's been accepted in place of it: whitelisting technology.

Application whitelisting works on a host computer to prevent unauthorized applications from running. The official PCI rules published by the PCI Security Standards Council don't include any mention of it, but some merchants and retailers are saying that their PCI-certified auditors are signing off on whitelisting as a substitute for antivirus software, which is giving them what they say is a needed A/V break.

BIG LIST: Most Powerful IT Security Players

"We started out with antivirus," says Bruce Snyder, manager of IT retail operations at Lacrosse, Wis.-based convenience store chain Kwik Trip, which has 436 locations. But on the store's point-of-sale (POS) systems in particular, running antivirus turned out to be hugely resource-intensive, enough so that it was even slowing down POS devices and impacting customer service.

Kwik Trip decided to try whitelisting technology -- its vendor is Bit9 -- as a substitute for antivirus since whitelisting should stop malware from executing. But as a sizeable "Level 1" retailer in the PCI-compliance world, Kwik Trip needed to have its PCI qualified security assessor (QSA), McGladrey, sign off on the change. The PCI auditor did, approving whitelisting as a substitute for antivirus. "They allowed us to do that, to replace A/V with whitelisting as a 'compensating control,'" Snyder says.

Today, Bit9 software is running only on Kwik Trip's POS terminals, but will be extended to store PCs by the end of next year, Snyder says. He adds that he hopes the PCI Council considers broadening the data-security rules to include whitelisting in the future.

Another large retailer and Bit9 customer, Louisville, Ky.-based Thorntons, had a similar experience related to PCI compliance in its convenience stores. And its PCI QSA, Trustwave, also gave the thumbs-up to whitelisting, says Jeffrey O'Gara, network administrator there. Traditional A/V was difficult to maintain with the updates, and more megabytes to run, than whitelisting, he says.

The PCI Security Standards Council did not provide anyone to discuss whitelisting, but a spokeswoman noted: "If another type of solution addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement."

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question