PCI Compliance, the 12 Step Program

If your company stores, processes, or transmits the primary account number on a credit card then you are required to meet, or exceed, the data security standards set forth in the PCI security standards. These security requirements apply to all network components that forward or have access to card holder data. This would include switches, routers, firewalls, IPS, Servers, workstations, wireless, storage, etc. So basically, if the device is IP (Internet Protocol) reachable to cardholder data then it is in scope for the PCI requirements.

The PCI Security Standards Council released a new PCI security standard this month. This standards body is responsible for creating the mandatory security policies that anyone who stores credit card information must adhere to. This would include merchants, banks, and card processing companies. The goal is to secure credit card numbers and cardholder data from digital theft. The new standard is targeted at enhancing the security of Payment Card Applications. The new Payment Application Data Security Standard (PA-DSS) standard makes it the third standard the group has developed to help secure our credit card information from hackers. The PCI PIN Entry Device (PED) standard was also recently handed over the the PCI standards council. PED outlines the security requirements for all Personal Identification Number (PIN) based devices and transactions. BTW, the two previous standards are currently a work in progress.

The PCI standard that most of us are familiar with is the Payment Card Industry Data Security Standard or PCI DSS standard. Due to the hefty fines that are just starting to be levied in mass, companies of all sizes are scrambling to make their networks PCI DSS compliant. Based on this demand, Cisco has allocated considerable resources to helping customers understand PCI and how to best create a PCI ready network. To that end I wanted to showcase some of that info in this blog. This will help you get on your way to a PCI compliant network even faster.

First off, the PCI standard has 12 major requirements broken down into 6 separate categories called “control objectives”. Diagram 1 below shows the requirements:



These general requirements are then broken down into multiple sub-requirements.
Cisco has mapped its products and features to this list of requirements and sub-requirements. This enables its customers to quickly determine what products can be used for becoming PCI compliant. Fortunately, the most pervasively deployed Cisco device, the router, can be used to cover more PCI requirements than any other single device. The only catch is, it must be a Cisco router with a security feature set license.

Let’s take a look at just a Cisco Secure Router and how it can help with PCI. According to Cisco, “Cisco IOS® Software-based routers support wireless, voice, firewall, intrusion prevention, and traffic profiling applications as well as VPNs. They help to satisfy PCI requirements 1, 2, 4, 6, 10, 11, and 12.” Wow, a single router can help with 7 of the 12 PCI requirements. Nice!

There are several sites where you can get detailed Cisco and PCI information. Here are some of the most popular:

• Here is Cisco’s compliance homepage. It covered PCI, HIPAA, SOX, etc. http://www.cisco.com/go/compliance




• Cisco built a secure network and then had 3rd Party PCI auditors come in and validate that their architecture would pass a PCI audit. You can find the whole solution here http://www.cisco.com/web/strategy/retail/pci_imp.html




• Cisco has a whole team of people working on solutions for the retail market space. They can be found here http://www.cisco.com/go/retail




• The PCI DSS standard can be found here https://www.pcisecuritystandards.org/

So those of you that have been through a PCI audit, what can the rest of us learn from you? Any tips for how to use Cisco gear to help with PCI compliance? Anyone been told by a PCI auditor that their “private” MPLS net is considered a public network for PCI and must be encrypted? I just had this happen to someone I know. Wondering if it is a trend.

The opinions and information presented here are my personal views not those of my employeer.

• Cisco
• Security
• Cisco
• compliance
• Heary
• Jamey Heary
• PCI
• security