There is no plug-and-play PCI solution

Cisco is NOT a company that

Cisco is NOT a company that markets its products as PCI compliant. There are other product companies that have done this. In most cases, their product complies with one or more of the 204 sub-requirements that are part of the overall PCI specification. Cisco clearly understands that products are not something that can be made PCI compliant.

PCI Compliance is something that companies receive after some hard work and significant investment. To become PCI compliant a company must go through a process that includes having a PCI-certified Qualified Security Assessor (QSA) perform an audit or assessment of their networks and payment applications. After the audit, which most companies do not pass the first time, the company must complete remediation work to meet the guidelines of the audit. After this is completed, the company submits the Report of Compliance to the Payment card company for compliance. All Tier 1 Retailers must go through this process every year, and conduct quarterly scans of the wired and wireless networks.

Cisco completely understands this process and is a PCI certified Network Scan Vendor.

To give you more background on why Cisco created this solution, read on.... Two years ago, Cisco engineers and professionals, started to talk to customers about how Cisco network and security products could be used to address PCI compliance guidelines. Some white papers and presentations were created that talked about how each product could be used to meet each of the 12 PCI requirements. Customers were under whelmed. Many customers told Cisco that they thought the PCI guidelines were confusing, ambiguous, and they found that answers varied between security auditors.

Last year, after listening to hundreds of retail customers, Cisco decided to build a more prescriptive solution. Customers said "Don't tell us that it CAN be done, show us some specific examples...” They said, “give us examples that can be applied to our different store requirements and something that can be centrally managed without impeding store operations." That was what customers wanted and this is what the PCI Solution for Retail is.

Cisco brought together POS vendors, Intermec wireless devices (running mobile POS SW), 3rd party Anti-virus software, wired and wireless networks and the centrally managed network and systems management tools. Everything was installed into Cisco’s SONA Center of Excellence lab in San Jose, CA. The initial configurations were based on Cisco and Industry best practices. Cybertrust sent in a team of PCI-certified QSA’s who performed audits of the small, medium and large store networks and the integrated suite of systems, network and security management systems.

The PCI solution addresses the areas where technology has to be configured in specific ways to meet the PCI guidelines. The solution is based on PCI DSS 1.1, which is mandated for all new PCI audits in 2007. The 1.1 specification includes more specific guidelines for wireless network scans, an appendix that contains instructions and compensating controls, and other changes to the 1.0 specification. Cisco’s Solution does not include all the process and policy areas of PCI because these areas really vary company-to-company, and are based on internal operations and other policy issues. This is why a QSA assessment is required to make a company PCI compliant.

The value of Cisco's solution is that it gives Network and Security professionals a validated design that includes Retail Store networks and the systems to manage, monitor and remediate the solution. The 375 page design guide is complete with mappings of which Cisco products meet which areas of the 12 PCI requirements. It includes detailed responses to each sub-requirement that Cisco addresses, how the auditor and Cisco recommend it is met, illustrations for clarity and specific examples of each device configuration (Command-Line or Screen shots). All of the device configurations for all 3 store networks and management systems are included, along with the detailed Network Assessment Report (the audit) from Cybertrust with their notes on how things were met, any required compensating controls and other notes.

An area where the auditor was impressed was with Cisco Security Agent, Cisco's host and server-based Intrusion Prevention application. CSA was installed on the in-store POS devices, servers, and desktop PC's. It was also installed on all the management servers. CSA's Management Center, part of the system management solution in the Data Center, allows the complete system to be centrally managed from anywhere on the network. CSA can be configured to defend, audit and report on files and logs across the entire set network of hosts and servers. All of this information is collected and presented to CS-MARS for a holistic, retail enterprise security reporting system.

By combining the specific wired and wireless network designs, the (host, server and network) IDS, network and application FW services, Intelligent switches that segment network traffic, a log integrity monitoring system, and centralized management systems, Cisco has created an integrated solution that retailers can use to more effectively meet PCI guidelines.

PCI isn't alone in this

PCI isn't alone in this regard - there are many companies offering "solutions in a box" to HIPAA, Sarbanes-Oxley and other requirements that have lots of non-technical components like policies, training, etc.

This problem is exacerbated by "audit" firms who tell merchants that "in order to be compliant you must do ", where is one particular way to meet the goals, but is neither necessary nor sufficient. As an example, I had a customer insist to me that SOX compliance requires 6144 bit RSA keys (no, that's not a typo), and another who insisted that SOX requires 256 bit AES (it says nothing of the sort). These requirements came from the customers' audit firms, who had a checklist - never mind whether they used products appropriately, had processes & procedures in place, etc.

PCI is a good standard, but if Visa and others were smart, they'd trademark it and refuse to allow vendors to license the trademark to sell products. Products aren't PCI/HIPAA/SOX compliant; customer systems are compliant, and use products to help get there.

In regards to the

In regards to the Computerworld story, I would like to clarify some information that was not included in the story. Regarding the relationship between Cybertrust and Cisco, Cybertrust -- like other security professionals -- is the first to acknowledge that it is the implementation of PCI DSS that helps organisations achieve compliance, and not the products that are purchased. As the PCI DSS covers everything from building a secure network to maintaing a security policy to protecting cardholder data, it is important to place the Secure Store solution in the proper context. Large, medium and small retailers can use Secure Store reference architectures as a means to reduce the amount of remediation and assessment effort required to become compliant. Cybertrust has certified PCI assessors, myself included, around the globe who provide a consultative approach to PCI. We were engaged by Cisco based on our reputation in the PCI and compliance space. To my knowledge this is the only offering where extensive work has been done to align reference architectures against this standard. I believe that this initiative from Cisco was driven by the merchant and service provider community looking for help from the security industry in regards to PCI. Secure Store is Cisco's response to that.

Martin- I agree with you,

Martin- I agree with you, there is no rubber stamp for PCI compliance. I know with our own PCI efforts we can show where our products can help, but we cannot make you compliant. I have written more about this here