Advice to Managers: Five Ways to Simplify Your PCI 2.0 Compliance

used with permission from the Cisco Small Business Resource Center

If the acronym “PCI” makes your heart race, you’re in good company.

“Small and medium-sized businesses can feel blindsided by all that PCI requires them to do,” says Aaron Reynolds, an author of the 2011 PCI Compliance Report by Verizon Business Services. “They have to comply with the same standard that initially was targeted at larger merchants and service providers.” Complying is complex.

“Unless the business has expertise in PCI and network security technologies, it will have a hard time controlling its compliance costs,” says Sean Walls, managing senior security consultant at Presidio Networked Solutions.

Help is at hand. Cisco and many of its partners offer cost-effective PCI compliance services–including helping SMBs complete their self-assessment questionnaire or assess PCI readiness.

Some Cisco partner companies are also certified by the PCI as Qualified Security Assessor (QSA) companies, which have QSA employees who have been certified by the PCI Council to validate an entity’s adherence to the PCI DSS.

Compliance: An Ongoing Challenge

Complying with PCI DSS 2.0 is complex on several levels:

• It requires security technologies and expertise on a range of network systems and data transit routes–some inside your business, others outside.
• You must know and record who accesses cardholder data, and when.
• There’s no silver bullet. Despite what product vendors, software developers, or service providers may tell you, no product can itself make your business compliant.
• It’s dynamic. No validation of compliance by Visa, JCB, MasterCard, or any other payment card brand continues without ongoing maintenance. Compliance is more than passing an audit; it is an active state.

As a leader of your business, you can apply guidance to simplify PCI compliance. In this article, Reynolds and Walls offer a few strategies on how to do it.

1. Reduce the PCI Scope: Segment

Separate your network logically and physically to define trusted (vs. untrusted) segments for cardholder data.

“To keep your compliance costs down and your tasks easier, make the scope of your network that is subject to PCI as small as possible. If you don’t segment, PCI touches everything in the network–from your firewalls and routers to all your servers, PCs, and wireless devices” says Walls, of Presidio.

A Cisco Gold Certified Partner, Presidio provides businesses with professional and managed services for advanced IT solutions, including security.

Walls says that to reduce what is in scope for PCI compliance, the systems that store, process, and transmit cardholder data must be segmented from the rest of the business, which requires placing PCI systems behind a firewall and isolating it.

The primary way to segment, say Walls and Reynolds, is to use a security appliance with a stateful firewall and intrusion prevention at your business network’s perimeter–its boundary with the Internet or a Wi-Fi network–to restrict inbound and outbound traffic. Reynolds says that an alternative is an Integrated Services Router that includes intrusion prevention and a stateful firewall.

Other essential segmentation controls include implementing VLANs on access switches and strong network access control.

2. Become Holistic: Integrate

If you standardize your network on integrated hardware and software, you can establish and enforce security policies “end to end” wherever you need to, including at your remote sites. The holistic approach also simplifies tasks for IT staff.

A holistic solution that can be used by businesses of all sizes is the PCI-assessed Cisco® Compliance Solution for PCI DSS 2.0, says Reynolds, of Cisco Certified Partner Verizon Business Services (now branded as Terremark, a Verizon company).

“There’s a temptation to use low-priced or ‘free’ products–open-source software, for example–that focus on specific aspects of PCI,” Reynolds says. “But the cost savings are a false promise. You’ll have to pay for IT personnel to script them for your environment, and then to manage them day in and day out. They’re just Band-Aids, isolated pockets that will require IT staff to do unique logging, reporting, and testing for PCI.”

3. Encrypt the Data in Transit

All your systems on PCI segments should support encryption of cardholder data when it travels:

• Over the Internet, by using protocols such as SSL and TLS, or HTTPS.
• On your business network, by using protocols such as WPA2 or WPA2-ENT (not WEP) for wireless transport, and SRTP for voice calls.
• Between your network and remote sites, including mobile workers. Use network systems and user devices with IPsec and/or clientless SSL VPN capabilities.

4. Pay Close Attention to Your Wireless Technology

“The wireless infrastructure is an area that merchants commonly overlook,” says Reynolds. Recommendations by Reynolds and Walls include:

• Put cardholder data on its own segment and VLAN, and encrypt it.
• Centralize access point control and logging, and harden each access point.
• Scan continually, using an access point with rogue access point detection capability.

5. Engage Expertise

If your IT staff is not up to speed on PCI 2.0 and working with the required range of network security technologies, your organization can contact Cisco partners that specialize in IT security and provide PCI services to businesses like yours.

If any of your card data may be handled by a cloud services provider (SP), a Cisco partner can also help your business conform to PCI guidelines on virtual and cloud environments.

Cisco partners can simplify your PCI compliance by integrating the practice of securing your customers’ information into your business’s other goals.