Advice to Managers: Five Ways to Simplify Your PCI 2.0 Compliance
used with permission from the Cisco Small Business Resource Center
If the acronym “PCI” makes your heart race, you’re in good company.
“Small and medium-sized businesses can feel blindsided by all that PCI requires them to do,” says Aaron Reynolds, an author of the 2011 PCI Compliance Report by Verizon Business Services. “They have to comply with the same standard that initially was targeted at larger merchants and service providers.” Complying is complex.
“Unless the business has expertise in PCI and network security technologies, it will have a hard time controlling its compliance costs,” says Sean Walls, managing senior security consultant at Presidio Networked Solutions.
Help is at hand. Cisco and many of its partners offer cost-effective PCI compliance services–including helping SMBs complete their self-assessment questionnaire or assess PCI readiness.
Some Cisco partner companies are also certified by the PCI as Qualified Security Assessor (QSA) companies, which have QSA employees who have been certified by the PCI Council to validate an entity’s adherence to the PCI DSS.
Complying with PCI DSS 2.0 is complex on several levels:
As a leader of your business, you can apply guidance to simplify PCI compliance. In this article, Reynolds and Walls offer a few strategies on how to do it.
Separate your network logically and physically to define trusted (vs. untrusted) segments for cardholder data.
“To keep your compliance costs down and your tasks easier, make the scope of your network that is subject to PCI as small as possible. If you don’t segment, PCI touches everything in the network–from your firewalls and routers to all your servers, PCs, and wireless devices” says Walls, of Presidio.
A Cisco Gold Certified Partner, Presidio provides businesses with professional and managed services for advanced IT solutions, including security.
Walls says that to reduce what is in scope for PCI compliance, the systems that store, process, and transmit cardholder data must be segmented from the rest of the business, which requires placing PCI systems behind a firewall and isolating it.
The primary way to segment, say Walls and Reynolds, is to use a security appliance with a stateful firewall and intrusion prevention at your business network’s perimeter–its boundary with the Internet or a Wi-Fi network–to restrict inbound and outbound traffic. Reynolds says that an alternative is an Integrated Services Router that includes intrusion prevention and a stateful firewall.
Other essential segmentation controls include implementing VLANs on access switches and strong network access control.
If you standardize your network on integrated hardware and software, you can establish and enforce security policies “end to end” wherever you need to, including at your remote sites. The holistic approach also simplifies tasks for IT staff.
A holistic solution that can be used by businesses of all sizes is the PCI-assessed Cisco® Compliance Solution for PCI DSS 2.0, says Reynolds, of Cisco Certified Partner Verizon Business Services (now branded as Terremark, a Verizon company).
“There’s a temptation to use low-priced or ‘free’ products–open-source software, for example–that focus on specific aspects of PCI,” Reynolds says. “But the cost savings are a false promise. You’ll have to pay for IT personnel to script them for your environment, and then to manage them day in and day out. They’re just Band-Aids, isolated pockets that will require IT staff to do unique logging, reporting, and testing for PCI.”
All your systems on PCI segments should support encryption of cardholder data when it travels:
“The wireless infrastructure is an area that merchants commonly overlook,” says Reynolds. Recommendations by Reynolds and Walls include:
If your IT staff is not up to speed on PCI 2.0 and working with the required range of network security technologies, your organization can contact Cisco partners that specialize in IT security and provide PCI services to businesses like yours.
If any of your card data may be handled by a cloud services provider (SP), a Cisco partner can also help your business conform to PCI guidelines on virtual and cloud environments.
Cisco partners can simplify your PCI compliance by integrating the practice of securing your customers’ information into your business’s other goals.
To learn more, contact us today.
Microsoft Exchange provides multiple ways to control email communication in a business. Shared Mailboxes and…
Remote working was once a niche specialty, only used by tech-savvy and freelancers. But in…
While we live in a digital age, print is still a staple for many businesses.…
Increasingly, email communication is playing a pivotal role in business operations, facilitating collaboration, customer engagement,…
As the digital landscape evolves, businesses of all sizes face the challenge of managing complex…
In the evolving landscape of information technology, businesses constantly seek the most efficient and cost-effective…