Helping Customers Address PCI Compliance While Strengthening Security
Executive Summary
Data security requirements are now a permanent feature of compliance obligations. The Payment Card Industry (PCI) Data Security Standard was designed to protect sensitive cardholder and merchant payment data. However, meeting PCI requirements has proved to be a challenge for many customers. Cisco PCI Compliance Readiness Services can help customers meet these challenges.
Cisco PCI Compliance Readiness Services help customers reach a state of compliance readiness, and then maintain compliance going forward. Cisco provides PCI assessment and audit readiness services, including one-time and ongoing remediation and monitoring, to organizations working toward PCI compliance. The entire suite of services is built using best practices frameworks such as COBIT, OCTAVE, and ISO 27001.
Introduction
The Payment Card Industry (PCI) Data Security Standard (DSS) was designed to ensure the security of cardholder data and information-at the point of sale (POS), in transit, and in storage. The standard applies to any company that stores, processes, or transmits credit card information. This means that the PCI standard affects most industries.
The Challenge of Meeting Requirements
To meet PCI requirements, all merchants must audit their current networks, policies, and processes (Figure 1). Merchants can interpret PCI requirements in different ways, however, creating systems that are more complex and difficult to support.
Figure 1. PCI DSS Primary Requirements
PCI Data Security Standard
Goals
Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to data by business "need to know."
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.
Most industry experts agree that the best way to achieve and maintain PCI compliance is to adopt a strategic, holistic approach to network security risk management and compliance that includes the network infrastructure, policies, and procedures.
Cisco PCI Solution
Combining best practices and extensive networking technology expertise, Cisco has developed a set of architectures in a lab environment with PCI requirements in mind. Cisco invited PCI auditors to evaluate these architectures; the auditors found that the technology, if properly deployed and maintained, could help customers achieve PCI compliance. Customers can use these network architectures as a guideline for deploying their own network installations as they work toward PCI compliance.
Get Compliant, Stay Compliant
The Elements of Achieving and Maintaining PCI Compliance
Cisco's PCI solution provides a validated reference architecture that helps customers to achieve compliance. The validated reference architecture includes a comprehensive set of advanced services that are customizable and delivered by Cisco engineers, including:
• Understand the customer's PCI compliance scope and translate it to the IT infrastructure
• Understand the PCI compliance scope of the customer's remote locations, edge, and data center infrastructure
• Identify the gap between the current status and the required future state of compliance
• Use Cisco expertise to prioritize and remediate security gaps to overcome compliance deficiencies Document extensively all policies, rules, and remediation measures taken
• Prepare the customer to face PCI compliance audits
Achieving a state of PCI compliance readiness is not enough. Cisco provides a set of recurring assessment and monitoring services that help customers stay compliant. Cisco's PCI compliance subscription services use Cisco expertise and tools and apply to the entire IT infrastructure, including the remote locations, Internet edge, and data center. The services include:
• Regular monitoring and analysis of network devices for security events and breaches
• On-demand assessment of specific network components for security posture
• Periodic (quarterly, annual, etc.) review of networks for security posture
• Periodic review of access, management, and data encryption, both at rest and in motion, inside the data center and across the network
• Log monitoring and forensics to investigate specific incidents
• Policy definition and maintenance to reflect changing network attributes as well as the security profile of the organization
Learn More Today
Cisco PCI Compliance Readiness Services can help customers achieve PCI compliance, maintain compliance, and implement a security architecture that benefits the entire organization. To learn more, go to http://www.cisco.com/go/retail.
