Cisco Blogs


Cisco Blog > Security

Becoming PCI certified…is this within reach?

Anyone who has been involved with compliance knows that simplifying complexity is the key to maintaining a secure and compliant organization. It’s become quite apparent that sustaining compliance is a marathon, and the journey must be travelled with vigilance. This is not something that is an endpoint or a task, that once accomplished, can be shelved and forgotten; therefore, it is very helpful for merchants, who wish to become compliant or maintain compliance, to purchase solutions that are “certified.”

The fact that you are purchasing a product that’s already been validated as secure and “capable” of being compliant reduces the complexity and uncertainty associated with big-ticket items. Adding new credit card readers or a payment application in your stores is expensive, and knowing that these products are validated by the Payment Card Industry (PCI) Council gives merchants confidence that they’re making a wise and secure decision.   Read More »

Tags: , , , , , , ,

Does the challenge of PCI compliance compare with summiting Mt. Everest?

Having attended the annual North American PCI Community Meeting for many years and being involved with PCI compliance since 2008, I’ve heard firsthand the challenges merchants face in their quest for PCI compliance (see Blog: Compliance Headaches Continue).  However, thinking back to the PCI Community Meeting last week in Orlando, I was intrigued by how this year’s keynote speaker fit into the program.  How could an extreme adventurer, such as Jamie Clarke, rather than a hacker or data breach expert provide the necessary perspective on compliance?  As I attended sessions and networked with over a thousand of my peers from 17 countries, it dawned on me:  The collective PCI state of mind is reflective of the maturity of the journey and a fresh optimism emerges as we near the top of the mountain after a very long and arduous journey.

Here are some of the highlights from this year’s meeting.

  • PCI SSC General Manager Bob Russo presented the annual PCI State of the Industry. The PCI standards continue to mature and merchants are increasing the focus to protect cardholder data.  The overall tone was more about ‘tweak’ than change.
  • The opportunity for training from the PCI Council continues to increase with several new programs including a Qualified Integrators and Resellers (QIR) program and a Payment Card Industry Professional (PCIP) certification.
  • The Special Interest Groups (SIGs) are going strong, which again speaks to the maturity of the standard.  We are seeing ongoing clarity, rather than new initiatives.  The SIGs leverage valuable business and technical experiences from PCI Participating Organizations (POs).  Over 460 POs were in attendance.  Our key candidates for the 2013 SIGs are Cardholder Data Discovery and Guidance on Logging.  However, there are 7 candidates up for voting.
  • Spider Labs presented an overview of mobile device security and reviewed several mobile attack scenarios. The PCI Council has released new guidance on secure mobile payment acceptance.
  • Updates to the Council’s Point-to-Point Encryption (P2PE) program are available.
  • Feedback on the PCI standards was discussed in preparation for the next releases in 2013.

Read More »

Tags: , , , ,

HIPAA and the Standard of Due Care – How Much Security is Enough?

There’s a natural struggle between those who write rules around compliance to a standard and those who must implement IT systems to ensure compliance with that standard. The former want to create guidelines rather than hard and fast requirements so there’s flexibility in how to achieve compliance. Plus, they want guidelines that allow for advances in technology. The latter want technical specificity – do X and become compliant.

With a compliance standard like PCI DSS, which specifies credit card information security requirements, there’s a great deal of technical specificity about what is required in order to become PCI DSS compliant. In fact, all but a handful of PCI DSS’s 211 sub-requirements call for specific technical actions. But even then, some PCI DSS sub-requirements are subject to interpretation by the various auditing authorities.

Most compliance mandates, especially those imposed by governments, aren’t as cut and dried as PCI DSS and they always include many specific requirements around acceptable compliant behavior in addition to non-specific requirements around technology-oriented compliant safeguards.

The privacy and security of health information in the U.S. is governed by a Federal law called the Health Insurance Portability and Accountability Act (HIPAA). As written, HIPAA is vague in many behavioral and technological areas. The law turned over “rule-writing,” whose aim is to provide more specificity, to the U.S. Department of Health and Human Services (HHS). HHS wrote a key rule – the HIPAA Security Rule – that is relevant to information security professionals.

But alas, even the HIPAA Security Rule is ambiguous! Read More »

Tags: , , , ,

Attend the PCI Community Meeting and be Heard!

The Payment Card Industry (PCI) Security Standards Council (SSC) is an open global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. According to the PCI SSC, 2012 is a critical year in the standards development process that hinges on feedback from the PCI community.

Getting the latest information about the PCI Data Security Standard (DSS) is vital as products and technologies continue to change at a rapid pace. Being part of the conversations, networking with like-minded professionals, and interacting directly with payment card brands are just a few of the benefits of attending the sixth annual PCI SSC North American Community Meeting. The meeting runs September 12—14, 2012 at the Walt Disney World Swan and Dolphin Resort in Orlando, Florida.

Read More »

Tags: , , ,

Simplifying PCI Compliance for SMBs

Payment Card Industry (PCI) compliance can often be overwhelming for all enterprises, let alone small and medium businesses (SMBs).  Given limited budgets and IT resources, SMBs face an even greater challenge than large enterprises.

The PCI Data Security Standard (DSS) 2.0 is complex on several levels:

  • It requires expertise on a range of network systems and security technologies.
  • It requires continual monitoring and management of access to cardholder data.
  • There is no “silver bullet” technology that can address a growing list of detailed standards and requirements. Technologies such as encryption, tokenization, as well as Europay, MasterCard, and Visa (EMV) smartcards address portions of your infrastructure, but none provide a single compliance solution.
  • It’s dynamic and requires ongoing diligence.  Being compliant at the time of your audit is a snapshot in time that requires simplified maintenance.

These requirements take time, effort and funding, which are all in short supply in SMBs.

Help is at hand. Cisco and many of its partners offer cost-effective PCI compliance services--including assistance for SMBs as they complete their self-assessment questionnaire or assess PCI readiness.   In a recent article  authored by Cisco and partners Verizon Business and Presidio, we examine ways to simplify compliance for small and medium businesses.  Learn the 5 key strategies to securing your customer information while incorporating security best practices from Aaron Renolds, QSA and Principal Consultant at Verizon Enterprise Solutions and Sean Wallis, Senior Security Consultant at Presidio Networked Solutions.

Advice to Managers: Five Ways to Simplify Your PCI 2.0 Compliance:

http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/do_business_better/advice_to_managers/index.html

Tags: , , , , , , ,