Organizations continue to face threats to their brands, reputations, and profits from attacks on their information systems. The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect credit card information. During my five-year tenure at Cisco, I’ve been focused on PCI. The challenge that we have faced when deploying a solution to help customers become compliant and maintain a secure enterprise is the complexity. At the various trade shows that I have attended to discuss PCI, I have encountered a lot of head-shaking and looks of disgust as I bring up the topic of PCI. To help simplify PCI compliance, Cisco has released the latest Cisco Compliance Solution for PCI DSS 2.0 to make it easier for organizations to maintain a secure, compliant network.

Read More »

Tags: compliance, Compliance Solution for PCI DSS 2.0, PCI Council Board of Advisors, pci-dss, security

Anyone who has been involved with compliance knows that simplifying complexity is the key to maintaining a secure and compliant organization. It’s become quite apparent that sustaining compliance is a marathon, and the journey must be travelled with vigilance. This is not something that is an endpoint or a task, that once accomplished, can be shelved and forgotten; therefore, it is very helpful for merchants, who wish to become compliant or maintain compliance, to purchase solutions that are “certified.”

The fact that you are purchasing a product that’s already been validated as secure and “capable” of being compliant reduces the complexity and uncertainty associated with big-ticket items. Adding new credit card readers or a payment application in your stores is expensive, and knowing that these products are validated by the Payment Card Industry (PCI) Council gives merchants confidence that they’re making a wise and secure decision.   Read More »

Tags: Cisco Security, cybertrust, pa-dss, PCI Compliance, pci-dss, qsa, qualified security assessor, security

I have a keen interest in the Latin American region because several of my closest friends and my respected colleagues are from this region. Also, internal market forces and global demand are accelerating the rate of data center projects, further heightening my interest. Last year, I visited the region where I got to see data center build outs and realized the extent of the “greenfield” opportunity. I very recently got acquainted with Daniel Garcia, a 12-year Cisco veteran and Security Specialist sales engineer covering the Latin American region. I found his insights most valuable and different to what I usually hear.

For Daniel the greatest difference between the Latin American Region and other regions is the number of Greenfield data center projects. But Daniel finds that many customers are looking for “cookie cutter” solutions that they implement into their environments without much customizing. This was something I hadn’t heard before but which makes excellent sense. The reason for this approach is that many customers lack in-house IT expertise and require proven solutions. The benefits of this approach mean less risk, less cost and with any validated solutions, far less time in production and testing. The downside is that each organization has distinct needs according to their business line and size, and their risk tolerance will vary. Daniel works with his customers to tweak data center reference architectures to provide customers with a tailored and secure data center environment. Read More »

Tags: it security, latin america, Payment Card Industry Data Security, pci-dss, secure data center

Having attended the annual North American PCI Community Meeting for many years and being involved with PCI compliance since 2008, I’ve heard firsthand the challenges merchants face in their quest for PCI compliance (see Blog: Compliance Headaches Continue).  However, thinking back to the PCI Community Meeting last week in Orlando, I was intrigued by how this year’s keynote speaker fit into the program.  How could an extreme adventurer, such as Jamie Clarke, rather than a hacker or data breach expert provide the necessary perspective on compliance?  As I attended sessions and networked with over a thousand of my peers from 17 countries, it dawned on me:  The collective PCI state of mind is reflective of the maturity of the journey and a fresh optimism emerges as we near the top of the mountain after a very long and arduous journey.

Here are some of the highlights from this year’s meeting.

• PCI SSC General Manager Bob Russo presented the annual PCI State of the Industry. The PCI standards continue to mature and merchants are increasing the focus to protect cardholder data.  The overall tone was more about ‘tweak’ than change.
• The opportunity for training from the PCI Council continues to increase with several new programs including a Qualified Integrators and Resellers (QIR) program and a Payment Card Industry Professional (PCIP) certification.
• The Special Interest Groups (SIGs) are going strong, which again speaks to the maturity of the standard.  We are seeing ongoing clarity, rather than new initiatives.  The SIGs leverage valuable business and technical experiences from PCI Participating Organizations (POs).  Over 460 POs were in attendance.  Our key candidates for the 2013 SIGs are Cardholder Data Discovery and Guidance on Logging.  However, there are 7 candidates up for voting.
• Spider Labs presented an overview of mobile device security and reviewed several mobile attack scenarios. The PCI Council has released new guidance on secure mobile payment acceptance.
• Updates to the Council’s Point-to-Point Encryption (P2PE) program are available.
• Feedback on the PCI standards was discussed in preparation for the next releases in 2013.

Read More »

Tags: mobile payments, pci, PCI Compliance, pci-dss, point-to-point encryption

In this last part of this series I will discuss the top customer priority of visibility.  Cisco offers customers the ability to gain insight into what’s happening in their network and, at the same time, maintain compliance and business operations.

But before we dive into that let’s do a recap of part two of our series on Cisco’s Secure Data Center Strategy on threat defense. In summary, Cisco understands that to prevent threats both internally and externally it’s not a permit or deny of data, but rather that data needs deeper inspection. Cisco offers two leading platforms that work with the ASA 5585-X Series Adaptive Security Appliance to protect the data center and they are the new IPS 4500 Series Sensor platform for high data rate environments and the ASA CX Context Aware Security for application control.  To learn more go to part 2 here.

As customers move from the physical to virtual to cloud data centers, a challenge heard over is over is that they desire to maintain their compliance, security, and policies across these varying instantiations of their data center. In other words, they want to same controls in the physical world present in the virtual – one policy, one set of security capabilities.  This will maintain compliance, overall security and ease business operations.

By offering better visibility into users, their devices, applications and access controls this not only helps with maintaining compliance but also deal with the threat defense requirements in our overall data center.  Cisco’s visibility tools gives our customers the insight they need to make decisions about who gets access to what kinds of information, where segmentation is needed, what are the boundaries in your data center, whether these boundaries are physical or virtual and the ability to do the right level of policy orchestration to maintain compliance and the overall security posture.  These tools have been grouped into three key areas: management and reporting, insights, and policy orchestration.

Read More »

Tags: ASA-CX, Cisco ASA, cisco firewall, Cisco Security, cisco sio, Cisco UCS, cloud, data center, data center security, DC, firewall, Identity Services Engine, intrusion prevention, IPS, ISE, it security, netflow, network security, pci-dss, policy, security, server, threat defense, TrustSec, virtual, virtualization, VMDC