Cisco Blogs


Cisco Blog > Security

Join the PCI Experts to Help You Bridge the Gap Between Compliance and Security

As part of Cisco’s Compliance team, I’ve monitored organizational breaches and attacks. If you’re like me and follow media reports and industry news, then you know that data breaches have increased in severity and frequency. Unfortunately, many organizations do not have the tools, personnel, and funding to prevent, quickly detect, and contain data breaches. The Payment Card Industry (PCI) Security Standards Council offers robust and comprehensive standards to enhance payment card data security. According to Ponemon Institute, organizations that are PCI compliant have fewer data breaches than non-compliant firms do. However, we know that PCI compliance is not enough. Even if you’ve met the stringent requirements of PCI DSS 2.0, your cardholder data may not be totally secure.

So, how can organizations maintain compliance and end-to-end security? The Compliance Solution team has gathered thought leaders in the payment card industry to offer research, guidance and best practices to help organizations overcome these challenges.

Join our webcast on April 16, 2013, with PCI experts from the Ponemon Institute, Verizon Business, and the PCI Security Standards Council to learn how Cisco can help bridge the gap between PCI compliance and security to minimize the impact of an attack. Read More »

Tags: , , , ,

PCI-related Observations from RSA 2013

As a frequent attendee of the US RSA Conference in the past, this year I had the opportunity to work in the Cisco booth on the exhibition floor. This year’s RSA event was very busy, it seemed like there was a continuous flow of people and energy across the show floor. I had the pleasure of staffing Cisco’s Compliance Solution demonstration where we test people’s knowledge of PCI compliance. This is one of my favorite demos/stations to operate because it rewards people for their hard learned knowledge and skill on the topic with a prize instead of the normal random drawing (if you get the highest score in the shortest amount of time, you’re the winner!). I was surprised by the number of attendees that did not want to take our quiz. Was it a fear of being put on the spot? Or were they just not very knowledgeable about PCI? I consider the RSA conference as a security minded conference and thought a solid business driver like PCI Compliance would be front and center for many security professionals that often have to justify security purchases. Further, given the proliferation of data breaches across all industry segments, this should be a top of mind topic. Many industries outside of retail accept credit cards for payment of services and products (e.g., hospital co-pays, DMV fees, city permits, Insurance payments, hotels, transit stations) so when all three days of the quiz were won by retailers I was a bit surprised. I would have expected a few security vendors or professionals to have won at least one day! Read More »

Tags: , , , ,

Cisco NRF 2013 – Visit Cisco’s Booth #252 and Attend Cisco’s Big Ideas Sessions

The Expo for NRF 2013 -- Retail’s Big Show -- starts Monday 1/14 and runs through Tuesday 1/15 in New York City at the Jacob K. Javits Convention Center.

Watch this video to learn more about the events and activities Cisco has planned at NRF 2013.

Tags: , , , , , , , , ,

Does the challenge of PCI compliance compare with summiting Mt. Everest?

Having attended the annual North American PCI Community Meeting for many years and being involved with PCI compliance since 2008, I’ve heard firsthand the challenges merchants face in their quest for PCI compliance (see Blog: Compliance Headaches Continue).  However, thinking back to the PCI Community Meeting last week in Orlando, I was intrigued by how this year’s keynote speaker fit into the program.  How could an extreme adventurer, such as Jamie Clarke, rather than a hacker or data breach expert provide the necessary perspective on compliance?  As I attended sessions and networked with over a thousand of my peers from 17 countries, it dawned on me:  The collective PCI state of mind is reflective of the maturity of the journey and a fresh optimism emerges as we near the top of the mountain after a very long and arduous journey.

Here are some of the highlights from this year’s meeting.

  • PCI SSC General Manager Bob Russo presented the annual PCI State of the Industry. The PCI standards continue to mature and merchants are increasing the focus to protect cardholder data.  The overall tone was more about ‘tweak’ than change.
  • The opportunity for training from the PCI Council continues to increase with several new programs including a Qualified Integrators and Resellers (QIR) program and a Payment Card Industry Professional (PCIP) certification.
  • The Special Interest Groups (SIGs) are going strong, which again speaks to the maturity of the standard.  We are seeing ongoing clarity, rather than new initiatives.  The SIGs leverage valuable business and technical experiences from PCI Participating Organizations (POs).  Over 460 POs were in attendance.  Our key candidates for the 2013 SIGs are Cardholder Data Discovery and Guidance on Logging.  However, there are 7 candidates up for voting.
  • Spider Labs presented an overview of mobile device security and reviewed several mobile attack scenarios. The PCI Council has released new guidance on secure mobile payment acceptance.
  • Updates to the Council’s Point-to-Point Encryption (P2PE) program are available.
  • Feedback on the PCI standards was discussed in preparation for the next releases in 2013.

Read More »

Tags: , , , ,

Imperva Announces Product Plans for Web Application Firewall on Nexus 1100 Virtual Services Appliance

September 27, 2012 at 9:52 am PST

Imperva on 1110 Virtual Services ApplianceCisco partner Imperva formally announced plans this week to deploy and host their SecureSphere Web Application Firewall (WAF) on the Nexus 1010 and 1110 Virtual Service Appliances. The SecureSphere WAF will be the first third party virtual service available on the Cisco virtual service appliances, joining Cisco virtual services such as the Virtual Security Gateway (VSG), the ASA 1000V Cloud Firewall, virtual Network Analysis Module (vNAM), Data Center Network Manager (DCNM), and the Nexus 1000V Virtual Supervisor Module (VSM).

In earlier posts, I have described how virtual services can be best deployed on a separate UCS-based appliance running NX-OS. The Nexus 1100 series are dedicated platforms for hosting virtual service nodes that run in a virtual machine, rather than taking up valuable resources on application servers, and allow for easier manageability by the networking and security teams (rather than the server team).  Read More »

Tags: , , , , , , , , , , , , , ,