PCI

Cisco targets healthcare data security

Cisco Subnet — Wed, 30 Jul 2008 15:12:30 -0400

Cisco has followed its Payment Card Industry data security service for the retail industry with security for the healthcare sector. Called PCI for Healthcare Solution, it offers design and implementation guidelines to protect credit card, patient demographic and employee information. Cisco has also joined the PCI Security Standards Council, which helps define future data security policy. Cisco says its Unified Wireless Networks and Ironport e-mail security appliances have received endorsement from the American Hospital Association.

Read more

This is all Visa's fault!

Wed, 30 Apr 2008 13:06:50 -0400

Visa's product is inherently insecure. Rather than fix the product to make it secure, they are strong-arming the merchants into spending an inordinate amount of time and money to shore up their product. Even if you are deemed compliant, there is no safe-harbor and no recourse from them taking money straight out of your merchant account.

Cisco promotes Lean Architecture to retailers

Cisco Subnet — Mon, 14 Jan 2008 18:54:48 -0500

Fresh from its splash at the Consumer Electronics Show last week, Cisco is targeting consumers in another way - through partnerships with retailers. At this week's National Retail Federation Conference in New York, Cisco released several initiatives, including its Lean Retail Architecture, the expansion of its Cisco Payment Card Industry Validated Network Design, and unified communications platforms specifically for retailers.

Read more

PCI Compliance, the 12 Step Program

jheary — Thu, 29 Nov 2007 20:07:12 -0500

If your company stores, processes, or transmits the primary account number on a credit card then you are required to meet, or exceed, the data security standards set forth in the PCI security standards. These security requirements apply to all network components that forward or have access to card holder data. This would include switches, routers, firewalls, IPS, Servers, workstations, wireless, storage, etc. So basically, if the device is IP (Internet Protocol) reachable to cardholder data then it is in scope for the PCI requirements.

Read more

Wireless Warnings

James Gaskin — Fri, 16 Nov 2007 11:07:15 -0500

If you do retail, and take credit cards (which you pretty much have to), your wireless network is about to cause you severe grief. The PCI (Payment Card Industry) regulations kicking into gear demand you monitor and protect your network, including the wireless parts. And a story called What Retail Wireless Security? says too few are doing so now.

Read more

Credit Card Crackdown

James Gaskin — Fri, 09 Nov 2007 07:36:15 -0500

If you take credit cards in your business, even a handful a year, the Payment Card Industry (PCI) became your business partner with their new regulations. Worse, states are starting to make new laws guaranteed to hammer small businesses as an example to look like they're doing something, rather than really addressing the credit card data loss problem.

Read more

RE: PCI compliance mandate's power raises conflict-of-interest questions

Fri, 09 Nov 2007 04:09:17 -0500

The potential for conflict of interest with the same person selling security equipment who is conducting the audit is poor. The only way around this is independent certification of security products to determine whether they are compliant as per PCI standards. The ONLY company which is doing this right now to my knowledge is NSS Labs (out of Chicago). NSS has a long history of security testing and certification and, more importantly, appears to be the ONLY independent security testing and certification facility which is truly independent (i.e. is not owned by or affiliated with a company with a vested interest in selling security products or managed services).

Read more

Buying standards-compliant gear may not immediately make you compliant

Cisco Subnet — Thu, 25 Jan 2007 15:08:43 -0500

Bloggers are debating whether Cisco's announcement that it has teamed with Cybertrust to build PCI Data Security Standard systems for retailers is clear in that the systems are aimed at helping retailers achieve PCI compliance, not that you can buy their product and immediately be compliant. An auditor of the retail standard is alerting retailers to make sure they realize the difference.

Has Cisco made the distinction clear enough for prospective buyers?