A common perception is that there is a difference between being secure and being compliant. A Verizon analysis on cybercrime reported that cyber-attacks on Retailers are increasing and becoming streamlined and automated. According to the 2012 Verizon PCI compliance report, “97% of breaches were avoidable through simple or intermediate controls”. How does a Retailer protect itself? One method is through PCI Compliance. Does that sound contradictory to that common perception?
Join Cisco on April 16th, 2013 10:00am PT for a webcast on PCI compliance and security with guests from Ponemon Institute, Verizon Business and PCI Security Standards Council.
As part of the planning of the webcast, we sat down with Bart McGlothin and Christian Janoff from Cisco’s security team to discuss PCI compliance and security for retail and get some answers. Here’s what we learned:
Q. What is PCI?
A. Simply put, PCI is a checklist for securing credit card information. It is based on security standards from the past but is written with credit card data in mind. Essentially, you are securing credit card information by limiting access to it, encrypting it where necessary and maintaining a secure network.
PCI has 12 requirements:
- Put a firewall between trusted and untrusted networks.
- Change the default passwords before you put technology into sensitive areas.
- Encrypt data that is stored.
- Encrypt data that is used over public networks.
- Use antivirus software.
- Develop and maintain secure applications.
- Restrict access to employees that need it for their jobs.
- Use unique IDs for employees so that you know who is doing what.
- Physically lock up your technology so that the public doesn’t have access to it.
- Monitor your network and who has access
- Test your systems and policy to make sure that it is working.
- Have a security policy in place
What is interesting is that some people don’t consider PCI to be “security,” but rather just “compliance.” In reality, though, PCI can be used as a method to achieve companywide security. It is a prescriptive way of achieving security for credit card data through logical steps. The advantage of investing in PCI is that the technology that you purchase to secure your credit card data can also be used to secure your entire company. It’s a nice flip flop on the old adage; if you are secure, you are compliant – but if you are compliant, it doesn’t necessarily mean that you are secure. Well, in this case, purchasing for compliance can give you enterprise-wide security. CIOs have realized that they can now use compliance as justification to ensure that they have funding to secure their company.
Q. Who needs to be PCI compliant?
A. Any retailer who takes a credit card. This includes everyone from small Mom & Pop shops to global companies.
Q. How does a Retailer become “PCI compliant”?
A. They need to follow the PCI standard and use the many resources available to them. For example, the council has put out some great documents like the “PCI self-assessment questionnaire” and the “Prioritized Approach for PCI”. Obviously, you can get guidance from Cisco’s compliance services or use the “Cisco PCI Design and Implementation Guide”. The best advice I can give around compliance is to make sure that whatever steps a retailer takes to become compliant that they try to simplify the process as much as possible. Too many times we have seen retailers become compliant but then become breached and realize that they were unable to maintain their compliant posture.
Q. What is the point of PCI compliance?
A. Well, beyond providing a method to secure credit cards, it helps the industry take accountability and responsibility. There is a clear chain of enforcement: from the credit card brands, to the acquiring banks of the transactions, to the retailers themselves. Now, companies take securing credit cards more seriously than we had seen as few as five years ago. And PCI compliance has done a great job of making sure that companies are becoming more secure. Of course, we still have a ways to go, but it definitely has moved the needle.
Stay tuned for next week’s continuation blog on PCI Security for Retail, where we discuss how Cisco Solutions deliver not only PCI Compliance but also security for your entire enterprise!
Don’t forget to register to join Cisco on April 16th, 2013 10:00am PT for a webcast on PCI compliance and security with guests from Ponemon Institute, Verizon Business and PCI Security Standards Council.