There’s a natural struggle between those who write rules around compliance to a standard and those who must implement IT systems to ensure compliance with that standard. The former want to create guidelines rather than hard and fast requirements so there’s flexibility in how to achieve compliance. Plus, they want guidelines that allow for advances in technology. The latter want technical specificity – do X and become compliant.
With a compliance standard like PCI DSS, which specifies credit card information security requirements, there’s a great deal of technical specificity about what is required in order to become PCI DSS compliant. In fact, all but a handful of PCI DSS’s 211 sub-requirements call for specific technical actions. But even then, some PCI DSS sub-requirements are subject to interpretation by the various auditing authorities.
Most compliance mandates, especially those imposed by governments, aren’t as cut and dried as PCI DSS and they always include many specific requirements around acceptable compliant behavior in addition to non-specific requirements around technology-oriented compliant safeguards.
The privacy and security of health information in the U.S. is governed by a Federal law called the Health Insurance Portability and Accountability Act (HIPAA). As written, HIPAA is vague in many behavioral and technological areas. The law turned over “rule-writing,” whose aim is to provide more specificity, to the U.S. Department of Health and Human Services (HHS). HHS wrote a key rule – the HIPAA Security Rule – that is relevant to information security professionals.
But alas, even the HIPAA Security Rule is ambiguous! Read More »
Tags: due care, HIPAA, pci, PCI Compliance, security
The Payment Card Industry (PCI) Security Standards Council (SSC) is an open global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. According to the PCI SSC, 2012 is a critical year in the standards development process that hinges on feedback from the PCI community.
Getting the latest information about the PCI Data Security Standard (DSS) is vital as products and technologies continue to change at a rapid pace. Being part of the conversations, networking with like-minded professionals, and interacting directly with payment card brands are just a few of the benefits of attending the sixth annual PCI SSC North American Community Meeting. The meeting runs September 12—14, 2012 at the Walt Disney World Swan and Dolphin Resort in Orlando, Florida.
Read More »
Tags: pci, PCI Compliance, pci-dss, security
Payment Card Industry (PCI) compliance can often be overwhelming for all enterprises, let alone small and medium businesses (SMBs). Given limited budgets and IT resources, SMBs face an even greater challenge than large enterprises.
The PCI Data Security Standard (DSS) 2.0 is complex on several levels:
- It requires expertise on a range of network systems and security technologies.
- It requires continual monitoring and management of access to cardholder data.
- There is no “silver bullet” technology that can address a growing list of detailed standards and requirements. Technologies such as encryption, tokenization, as well as Europay, MasterCard, and Visa (EMV) smartcards address portions of your infrastructure, but none provide a single compliance solution.
- It’s dynamic and requires ongoing diligence. Being compliant at the time of your audit is a snapshot in time that requires simplified maintenance.
These requirements take time, effort and funding, which are all in short supply in SMBs.
Help is at hand. Cisco and many of its partners offer cost-effective PCI compliance services--including assistance for SMBs as they complete their self-assessment questionnaire or assess PCI readiness. In a recent article authored by Cisco and partners Verizon Business and Presidio, we examine ways to simplify compliance for small and medium businesses. Learn the 5 key strategies to securing your customer information while incorporating security best practices from Aaron Renolds, QSA and Principal Consultant at Verizon Enterprise Solutions and Sean Wallis, Senior Security Consultant at Presidio Networked Solutions.
Advice to Managers: Five Ways to Simplify Your PCI 2.0 Compliance:
Tags: compliance, cred card, mastercard, pci, PCI Compliance, pci-dss, security, via
Staffing Cisco’s Compliance Solution demonstration a few weeks ago at Cisco Live 2012, I was beckoning passersby to test their knowledge of the Payment Card Industry (PCI) Data Security Standard (DSS) 2.0. Some attendees shook their head and walked (ran) the other way. Of the brave souls who ventured over to demonstrate their PCI knowledge, most spoke of the difficulties and challenges of dealing with not only PCI, but other mandates as well, such as HIPAA, FISMA and SOX. Attendees came from different industries such as Retail, Healthcare, Financial Services and Education, many of whom shared the same challenges with approach, best practices and the cost of compliance. Surprisingly, some were just beginning their journey, starting at ground zero, and were seeking guidance on how to meet the CIO’s “get compliant” edict with a balancing act between IT and Finance. Other customers were seeking guidance on specific product features that could address areas of management and reporting.
At a Table Topics session during the same event, other challenges around scoping, segmentation and wireless networks were discussed. Today, one of the challenges that merchants still face is with auditor inconsistency. This is an area that the PCI council is working hard to address by implementing training and best practices programs for QSA’s. To add fuel to the fire, in a recent QSA Insights Report, the cost of annual audits averages $225,000 per year for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors. The full PCI DSS is available for download at:
Read More »
Tags: compliance, hippa, PCI Compliance, pci-dss, regulatory compliance, sox
Share your knowledge by taking the 5-minute Cisco Regulatory and Industry Compliance Survey
Greetings from Cisco’s Compliance Solutions team!
Over the past several years, we have developed an architectural approach to achieving and maintaining regulatory and industry compliance. Our latest work provides – in great detail – both a framework for achieving PCI DSS compliance and recommendations about how to make your Cisco-based network PCI compliant.
To address the topic with authority, we integrated Cisco and technology partner products together into a comprehensive solution based on foundational Cisco architectures, had a QSA auditor – Verizon Business – assess it for PCI DSS 2.0 compliance, and documented the results in a publicly-available Design and Implementation Guide which can be found here: www.cisco.com/go/pci
Our team’s broader vision is to enable Cisco customers to manage risk by achieving and maintaining compliance with a broad range of regulatory and industry mandates. We believe that
- Your challenges around compliance are growing and that you are looking for sound guidance as you work to achieve and maintain compliance with multiple mandates;
- The value we deliver starts with a thoughtfully-developed architectural framework but also includes a broad array of Cisco and partner technology that has been tested and assessed by third party auditors;
- Integrated and proven compliance solutions will give you confidence in Cisco’s ability to act as the foundation for achieving and maintaining compliance.
Looking forward, we plan to engage in conversations with our readers. You will hear from the team regularly on a variety of topics and we’ll ask about your views as they relate to compliance. Your thoughtful responses will help guide our future work.
In that spirit, we are very interested in your thoughts right now! We developed the “2012 Cisco Regulatory and Industry Compliance Survey” which can be found at:
The survey is anonymous and it will take about 5 minutes to complete. In future blog posts, we will share the results with you.
Thanks in advance for your contribution.
Cisco Compliance Solutions Group
Tags: Cisco, compliance, pci, PCI Compliance, pci-dss