Cisco Blogs

PCI Compliant, More Secure and For Less Money?

- April 2, 2009 - 0 Comments

Yes you can!Credit markets are still frozen, consumers are postponing non-staple purchase decisions, and the G20 are trying to figure out ways to stimulate the slumping global economy. You would think that between re-inventing merchandising strategy, creating enticing promotions to bring consumers back to stores, while in the meantime reducing operating expenses, would keep most retailers and businesses that process, transmit or store credit card information busy enough. However, now more than ever, you want to be in a position to attract customers into your stores and let them use whatever little credit they may have left without fear that their personal information will be compromised. More importantly, the credit card companies will see to that, by making sure you comply with PCI DSS 1.2.In this latest version of the standard, published in October 2008, requirement 11 specifies that companies must either perform quarterly scans of their networks or deploy intrusion detection and intrusion prevention system (IDS/IPS). When given an option most everyone will make a decision based entirely on cost — and who would blame them? A simplified thought process along those lines would be something like:Option 1: Quarterly Handheld Wireless Network Scans“I can get an Approved Scanning Vendor (ASV) to perform a quarterly handheld wireless network scan in each of my stores (or branch locations). I can expect to pay about $2,000 per scan and not have to worry about it until the following quarter.”Option 2: Deploy an Intrusion Prevention System“I can get a Cisco adaptive wireless IPS (wIPS) solution that will monitor my network 24×7, however my start-up investment will be large since I will need to deploy monitor mode APs, possibly add controller capacity on my network, and get a Mobility Services Engine to run the Adaptive wIPS software on it. Maybe I should choose the quarterly scanning rather than make the capital investment for wIPS?”The FactsThe truth is that even with all the equipment and licenses required to run Cisco Adaptive wIPS, most retailers would see an investment payback period of less than 12 months, which means that any year 2 and onwards “scans” are free! In fact, if we make the simplifying assumption that all quarterly handheld network scans cost $2,000 per location (this represents a typical average and can be less or more depending on the number of IP addresses per location) then the payback periods for different size retailers (by square footage and number of stores in their network) can be seen in the graph below:imageClearly, the more stores (branches) in a retailer’s network the shorter the payback period will be due to economies of scale. Also, the smaller the store format is, the shorter the payback period will be because fewer monitor mode APs are required to scan your airwaves. So, if you are indeed making PCI compliance decisions entirely based on cost then you should be picking Cisco’s adaptive wIPS to meet requirement 11 rather than quarterly scans. However, you should not be making these decisions entirely based on cost. You should be looking for ways to improve overall network security. Adaptive wIPS goes above and beyond PCI requirements and prepares your network for end-to-end security because attacks don’t just happen on a quarterly basis. Unless you are prepared to turn on your firewall only once a quarter as well, do not settle for less when it comes to intrusion prevention.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.