What Is the Payment Card Industry Data Security Standard?
The Payment Card Industry (PCI) Data Security Standard (DSS) applies to all businesses, large and small, in any industry that processes, transmits, or stores credit card transactions and cardholder information. The goal of the PCI DSS is to increase protection of credit card information and related transactions. PCI DSS Version 1.2 was released in October 2008 and went into effect in January 2009, and includes deadlines for wireless installations and deployments using Wired Equivalent Privacy (WEP). Version 1.2 emphasizes network segmentation to determine the PCI scope and cardholder data environment, and outlines sampling size determination for organizations during an audit.
PCI Deadlines and Enforcement
MasterCard released global PCI DSS deadlines and non-compliance fines in June 2009. Organizations must achieve PCI DSS compliance by 31 December 2010. Level 1 and Level 2 merchants must have an external audit performed by a PCI Qualified Security Assessor (QSA) to achieve PCI DSS compliance. Level 3 merchants can perform internal audits to meet PCI DSS compliance. MasterCard defines the merchant levels as outlined below.
PCI Level
Transaction Volume
Validation Requirements
Level 1
Process more than 6 million MasterCard (or VISA, AMEX, JCB, or Discover) transactions annually
Any company that has suffered a credit card breach in the last 12 months
Annual onsite audit by Qualified Security Assessor (QSA)
Quarterly network scan by Approved Scan Vendor (ASV)
Level 2
Process 1 million to 6 million MasterCard (or other card brand listed above) transactions annually
Annual onsite audit by QSA
Quarterly network scan by ASV
Self-assessment questionnaire signed by officer of company
Level 3
Process 20,000 to 1 million e-commerce transactions annually
Quarterly network scan by ASV
Self-assessment questionnaire signed by officer of company
Level 4
Process less than 20,000 e-commerce transactions annually
Self-assessment questionnaire signed by officer of company
MasterCard reclassifies the service provider levels so that Level 1 service providers include all third-party processors (TPPs) and data storage entities (DSEs) with more than 300,000 annual transactions. Level 2 service providers are all DSEs with fewer than 300,000 annual transactions.
MasterCard also defines PCI DSS noncompliance assessment structure for Level 1, 2, and 3 merchants. This is for PCI DSS noncompliance only, not assessment resulting from a breach.
Noncompliance Assessment Structure per Calendar Year
Organization
Assessment Amount (USD)
Occurrence
Level 1 and 2 Merchants
Up to $25,000
Up to $50,000
Up to $100,000
Up to $200,000
First violation
Second violation
Third violation
Fourth violation
Level 3 Merchants
Up to $10,000
Up to $20,000
Up to $40,000
Up to $80,000
First violation
Second violation
Third violation
Fourth violation
Level 1 and 2 Service Providers
Up to $25,000
Up to $50,000
Up to $100,000
Up to $200,000
First violation
Second violation
Third violation
Fourth violation
The PCI DSS standard provides 12 security requirements that companies must adhere to:
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
Cisco Solutions for PCI
Cisco offers numerous technology solutions and advanced services to help companies address their PCI DSS requirements. Because PCI covers many parts of the network, no single product or technology meets all of the PCI technology requirements. The following table lists Cisco products and technologies that help to address PCI requirements.
Routers and Switches
Security
Wireless
Data Center
Management
Services
Cisco® 800, 1800, 2800, and 3800 Series Integrated Services Routers (ISRs)
Firewall: Cisco ASA 5500 Series Adaptive Security Appliances; Cisco ISRs and ASRs, Cisco Catalyst 6500 Series Switches
Cisco Unified Wireless Network Solution
Cisco Nexus® 7000 Series Switches
Cisco Security Manager
PCI Services
Cisco Aggregation Services Routers (ASRs)
Intrusion Prevention System: Cisco IPS 4200 Series Sensor Appliances; Cisco IOS® Software; modules for Cisco ASA 5500 Series Appliances, Cisco ISRs, and Cisco Catalyst 6500 Series Switches
Cisco Aironet® 1100 and 1200 Series Access Points
Cisco Nexus 1000V Series Switches
CiscoWorks LAN Management Solution
IT GRC Services
Cisco Catalyst® 2960 and 3750 Series Fixed-Configuration Switches
VPN: Cisco ASA 5500 Series (IPSec and SSL VPN);
Cisco ISRs/ ASRs (IPSec, SSL VPN, GET VPN, DMVPN)
Cisco Wireless LAN Controller (appliance and ISR module)
Cisco MDS with Storage Media Encryption (SME) module
Cisco Secure Access Control System (ACS)
Network Segmentation Advanced Services
Cisco Catalyst 6500 Series Switches
Cisco Video Surveillance solutions
Cisco 3300 Series Mobility Services Engine
Cisco Unified Computing System (UCS)
Cisco Wireless Control System (WCS)
Interactive Voice Response Service through Cisco Unified Customer Voice Portal
Network Admission Control (NAC): appliance, ISR module, and NAC Profiler
Cisco Wireless Control System (WCS)
Cisco Wide Area Application Services (WAAS) Appliances and ISR Network Module
Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS)
Cisco Security Agent
Cisco Adaptive Wireless IPS (wIPS)
IronPort® Series Email Security Appliance
Wireless scanning and monitoring
Cisco® Validated Designs are another critical element of Cisco's PCI solution portfolio. Built and tested in Cisco labs, these designs have been evaluated by a PCI QSA, who then provided a report on compliance (ROC) outlining how each solution addresses PCI DSS technology requirements. The Cisco Validated Designs for PCI can be downloaded from http://www.cisco.com/go/pci. The independent ROCs for Cisco's PCI solutions are also available for viewing at this address.
What Are the Benefits of Cisco Solutions for PCI?
Cisco PCI solutions address many of the 12 PCI DSS requirements. They go beyond just the requirements-for example, with newer technologies such as virtualization-and provide comprehensive best practices for securing sensitive information. Cisco PCI solutions can strengthen a company's overall security posture and help customers satisfy their PCI DSS requirements in a cost-effective and efficient manner.
Cisco Validated Architectures are a set of PCI-audited designs that aid customers in designing and implementing networks that meet PCI DSS requirements. These architecture designs offer guidance for remote location, Internet edge, and data center networks, with the independent ROC available for customers to review.
