Staffing Cisco’s Compliance Solution demonstration a few weeks ago at Cisco Live 2012, I was beckoning passersby to test their knowledge of the Payment Card Industry (PCI) Data Security Standard (DSS) 2.0. Some attendees shook their head and walked (ran) the other way. Of the brave souls who ventured over to demonstrate their PCI knowledge, most spoke of the difficulties and challenges of dealing with not only PCI, but other mandates as well, such as HIPAA, FISMA and SOX. Attendees came from different industries such as Retail, Healthcare, Financial Services and Education, many of whom shared the same challenges with approach, best practices and the cost of compliance. Surprisingly, some were just beginning their journey, starting at ground zero, and were seeking guidance on how to meet the CIO’s “get compliant” edict with a balancing act between IT and Finance. Other customers were seeking guidance on specific product features that could address areas of management and reporting.
At a Table Topics session during the same event, other challenges around scoping, segmentation and wireless networks were discussed. Today, one of the challenges that merchants still face is with auditor inconsistency. This is an area that the PCI council is working hard to address by implementing training and best practices programs for QSA’s. To add fuel to the fire, in a recent QSA Insights Report, the cost of annual audits averages $225,000 per year for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors. The full PCI DSS is available for download at:
Share your knowledge by taking the 5-minute Cisco Regulatory and Industry Compliance Survey
Greetings from Cisco’s Compliance Solutions team!
Over the past several years, we have developed an architectural approach to achieving and maintaining regulatory and industry compliance. Our latest work provides – in great detail – both a framework for achieving PCI DSS compliance and recommendations about how to make your Cisco-based network PCI compliant.
To address the topic with authority, we integrated Cisco and technology partner products together into a comprehensive solution based on foundational Cisco architectures, had a QSA auditor – Verizon Business – assess it for PCI DSS 2.0 compliance, and documented the results in a publicly-available Design and Implementation Guide which can be found here: www.cisco.com/go/pci
Our team’s broader vision is to enable Cisco customers to manage risk by achieving and maintaining compliance with a broad range of regulatory and industry mandates. We believe that
Your challenges around compliance are growing and that you are looking for sound guidance as you work to achieve and maintain compliance with multiple mandates;
The value we deliver starts with a thoughtfully-developed architectural framework but also includes a broad array of Cisco and partner technology that has been tested and assessed by third party auditors;
Integrated and proven compliance solutions will give you confidence in Cisco’s ability to act as the foundation for achieving and maintaining compliance.
Looking forward, we plan to engage in conversations with our readers. You will hear from the team regularly on a variety of topics and we’ll ask about your views as they relate to compliance. Your thoughtful responses will help guide our future work.
Even as the latest breach headline fades away, we all know there is another waiting in the wings (read Part I of my blog). How can organizations protect themselves? There is no panacea for securing a payment environment, and implementing advanced technology alone will not make an organization compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS provides a solid foundation for a security strategy that covers payment and other types of data, but overall security does not begin and end with PCI compliance. Therefore, an organization’s security strategy should employ best practices and an architecture that will not only facilitate PCI compliance, but also help secure the cardholder environment, prevent identity theft, reliably protect brand image and assets, mitigate financial risk, and provide a secure foundation for new business services.
Recently there has been a series of news items as enterprises announce they have been breached and their sensitive customer and financial records compromised. According to Verizon 2011 Breach report 92% of the attacks were external and 76% of all data breached came from servers. The PCI Security Standards Council is an open global forum formed in 2006 that is responsible for the PCI Data Security Standard (PCI DSS), a standard that is designed to protect cardholder data.
I sat down with Lindsay Parker, Cisco global retail industry director about Cisco’s current investments and efforts to help retailers and merchants secure customer credit card data and maintain compliance with PCI DSS.