Last week, we sat down with Bart McGlothin and Christian Janoff from Cisco’s security team to discuss PCI Security for Retail to better understand “What is PCI Compliance?” and “How does that affect Retailers?”
As a quick re-cap: PCI Compliance is a 12-step process to secure credit cards. Any retailer that accepts credit card payments must be “PCI Compliant” (i.e., follow those 12 steps). Compliance is enforced by the Retailer’s acquiring bank (the financial institution that processes the credit card payments for the Retailer).
Q. So, we know that Retailers need to be PCI Compliant. How can Cisco help?
A. Cisco has a PCI design and implementation guide for merchants to use. It really stands alone in the industry because it provides holistic guidance in three key ways:
First, Cisco’s PCI solution gives retailers a clear way of defining segmentation. Segmentation separates your customer’s credit card information from the regular data that might not be as sensitive. By doing this, you are able to focus the controls of PCI into smaller areas across your entire enterprise.
Second, the solution offers a holistic end-to-end view of your payments. We show how the PCI requirements affect the different locations in your network. It’s easier to understand compliance when you look at locations, like a data center or a store. What do you need to do, for example, when you add wireless to a store that did not have it previously? How does it affect your compliance? We mapped the PCI controls in these areas and explained what technology will satisfy them.
Finally, it doesn’t do any good to look at the big picture if each device in the network is not capable of sustaining compliance. Cisco worked with Verizon Business to develop a way of assessing each technology to see if it meets the demands of PCI.
All of this information is available in the PCI Design and Implementation Guide. It shows the architectures and the score cards of the products used to address compliance. This guide includes the implementation steps, the running configurations and the assessment from Verizon Business. It is very comprehensive.
Q. Are there any tips that you can give our readers around simplifying PCI compliance?
A. Sure. A big one is to designate a department or person as responsible for PCI compliance. This puts the pressure to sustain compliance on a specific individual rather than diffusing the responsibility in silos. There are always cracks between silos, and you don’t want cracks in your compliance. We see this being a problem because compliance requires orchestration and activity across the company. Someone really needs to lead it.
This leads into another good practice for the retailer to “own” their compliance. What I mean by that is a lot of retailers will wait for the auditor to ask for information and then the retailer responds to go get that information. Instead, the retailer should document the entire scope and maintain this information for the subsequent audit. Going back to the previous point, by having a single person or department own this responsibility, it will minimize the cost of compliance in the long run because you do not have to keep starting from scratch every year as the new auditor comes in.
We want to thank Christian and Bart for elucidating PCI Compliance, how it affects Retailers, and how Cisco can help!
If you want to learn more about Cisco’s security options for Compliance, please visit www.cisco.com/go/pci
Please join Cisco on April 16th, 2013 10:00am PT for a webcast on PCI compliance and security with guests from Ponemon Institute, Verizon Business and PCI Security Standards Council.