PCI-related Observations from RSA 2013
As a frequent attendee of the US RSA Conference in the past, this year I had the opportunity to work in the Cisco booth on the exhibition floor. This year’s RSA event was very busy, it seemed like there was a continuous flow of people and energy across the show floor. I had the pleasure of staffing Cisco’s Compliance Solution demonstration where we test people’s knowledge of PCI compliance. This is one of my favorite demos/stations to operate because it rewards people for their hard learned knowledge and skill on the topic with a prize instead of the normal random drawing (if you get the highest score in the shortest amount of time, you’re the winner!). I was surprised by the number of attendees that did not want to take our quiz. Was it a fear of being put on the spot? Or were they just not very knowledgeable about PCI? I consider the RSA conference as a security minded conference and thought a solid business driver like PCI Compliance would be front and center for many security professionals that often have to justify security purchases. Further, given the proliferation of data breaches across all industry segments, this should be a top of mind topic. Many industries outside of retail accept credit cards for payment of services and products (e.g., hospital co-pays, DMV fees, city permits, Insurance payments, hotels, transit stations) so when all three days of the quiz were won by retailers I was a bit surprised. I would have expected a few security vendors or professionals to have won at least one day!
My guess is it just comes down to risk and scope. Maybe other industries have such a small scope where credit cards are used that they are easy to segment from their general infrastructure, or outsource this function altogether, and that knowledge of PCI DSS is only necessary for a few individuals. My interpretation though is that the PCI DSS represents a best practice security baseline that every company should try to implement to protect all of their assets and intellectual property, not just card holder information.
What guidance are you following to secure your infrastructure? Is it simple to maintain? How do you know it is working? Can you mitigate your losses quickly after a breach? How do you justify this investment to the business decision makers? These are all questions that you should be asking yourself when thinking about security solutions, and we try our best to have the answers.
To learn more about Compliance Solutions from Cisco, please visit www.cisco.com/go/pci