Cisco To Post Retail PCI Primer

Just days after the Payment Card Industry Security Standards Council (PCI SSC) published the PCI DSS (Data Security Standard) Virtualization Guidelines Information Supplement, Cisco announced it will put online the second generation of its retail PCI solutions that have been reviewed by a PCI Qualified Security Assessor. Due out at the end of the month, the validated Cisco PCI Solution for Retail 2.0 is intended to provide retailers with a simpler way to become compliant, or incorporate modular elements on an as-needed basis, says Lindsay Parker, global retail industry director.

"Historically, retail has led the way, so it's no surprise that we have a significant backlog of retailers interested in this." The document of solutions was published this week for review and will be released for general availability at the end of June. "From our standpoint, what's been successful in the past and will continue to be is that we provide this cookbook and we give it to customers free."

PCI 2.0 is about vigilance and making sure that defenses that have already been invested in allow firms to stay in compliance, says network analyst Nick Lippis.

"So the issue is to maintain compliance. From this perspective, it's easier to do this with a network solution that touches every POS and database. In addition, there are virtualized components that now must be considered system components that must be secured, for things like segmentation and restricted access to virtualize environments. They apply the same way they would in a non-virtualized environment."

Not only must organizations do their PCI homework, but they must be seen to be doing the homework. "PCI 2.0 compliance is a huge deal as Sony and other very high-profile exploits and thefts of customer personal data is on the rise."While PCI SSC is an industry standards body whose latest initiative provides guidance on the use of virtualization technology in cardholder data environments in accordance with PCI DSS, Cisco's cookbook consists of PCI retail recipes built and tested in Cisco labs. Developed in five different branch formats, from mini branches to superstores, it is built on network security best practices, the Cisco Connected Retail Network platform, Cisco products and services, and partner technologies that are validated for compatibility.

The Cisco PCI Solution for Retail Design & Implementation Guide (DIG) provides a virtual roadmap for retail organizations looking to achieve PCI compliance for multiple store formats and implementations, including virtualized and wireless environments.

"Cisco's approach to PCI is one of, if not the most, comprehensive, as it transcends multiple products to assure compliance," says Lippis. "Also, Cisco has a validation program to assure compliance. What's included in Cisco's PCI 2.0 is support for better WLAN, virtualization and traffic steering, identity and simpler reporting for compliance."

The result of collaborative efforts by more than 30 organizations, in conjunction with the PCI Council, the PCI DSS supplement helps merchants, service providers, processors and vendors understand how PCI DSS applies to virtual environments. It includes explanations of the classes of virtualization often seen in payment environments, including virtualized operating systems, hardware/platforms and networks; practical methods and concepts for deployment of virtualization; suggested controls and best practices for meeting PCI DSS requirements in virtual environments; and guidance for understanding and assessing risk in virtual environments.

The timing for both PCI initiatives is good, according to a Cisco survey published at the start of the year. In the survey of 500 IT executives, a third said that updating antiquated systems was the next biggest challenge after educating employees about implementing PCI DSS (43%). Another 30% said they will need to continue to harden their virtualization software systems and make them more resilient to attack. Another recent study by Verizon found that organizations that had suffered data breaches of cardholder information performed dismally in terms of compliance with most PCI requirements.

See more on this topic by subscribing to Network Computing Pro Reports Research: 2011 Strategic Security Survey (subscription required).