Cisco Blogs

Compliance Headaches Continue

Staffing Cisco’s Compliance Solution demonstration a few weeks ago at Cisco Live 2012, I was beckoning passersby to test their knowledge of the Payment Card Industry (PCI) Data Security Standard (DSS) 2.0.  Some attendees shook their head and walked (ran) the other way.  Of the brave souls who ventured over to demonstrate their PCI knowledge, most spoke of the difficulties and challenges of dealing with not only PCI, but other mandates as well, such as HIPAA, FISMA and SOX. Attendees came from different industries such as Retail, Healthcare, Financial Services and Education, many of whom shared the same challenges with approach, best practices and the cost of compliance. Surprisingly, some were just beginning their journey, starting at ground zero, and were seeking guidance on how to meet the CIO’s “get compliant” edict with a balancing act between IT and Finance. Other customers were seeking guidance on specific product features that could address areas of management and reporting.

At a Table Topics session during the same event, other challenges around scoping, segmentation and wireless networks were discussed. Today, one of the challenges that merchants still face is with auditor inconsistency. This is an area that the PCI council is working hard to address by implementing training and best practices programs for QSA’s. To add fuel to the fire, in a recent QSA Insights Report, the cost of annual audits averages $225,000 per year for the largest merchants. Excluding technology, operating, and staff costs, the world’s largest acceptors of credit cards (also known as Tier 1 merchants) are spending an average of $225,000 on auditor expenses. 10 percent of these businesses are spending $500,000 or more annually on PCI auditors.  The full PCI DSS is available for download at:

Cisco’s PCI solution design and implementation guide helps in this area by providing a published assessment e.g., “Report of Compliance” that can be used as a reference and best practice for configuring your enterprise and working with your auditors.

As part of the Compliance Solutions Group at Cisco, we can sympathize.  The solutions team  produced and has continually updated the PCI Design & Implementation Guide for over 5 years.  Our focus with the most recent guidance is simplifying compliance for our customers and broadening our focus to multiple industries.  Cisco’s 3-prong approach to simplifying compliance is

  • segmenting the network to separate sensitive data to reduce cost and complexity of audits
  • demonstrating an architectural approach which maps to locations, like a data center or a branch. With the compliance solution,  Cisco directly maps compliance controls in these areas and demonstrate what technology will satisfy them.
  • addressing PCI complexity at the device level. The solution assesses Cisco and partner technologies for weaknesses or strengths when it comes to compliance, and creates a score card to evaluate them.

To learn more about Compliance Solutions from Cisco, please visit

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thank you for your question. Our architects did not use netflow in the Cisco PCI solution. There are a few places we had WCCP v2 implemented for WAAS, however no netflow was set up. It is beyond what PCI requires for monitoring.

  2. In your practice do you leverage NetFlow to demonstrate compliance?