The Payment Card Industry Data Security Standard (PCI DSS) is a standard for security mandated by most of the major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB. This standard applies to any organization that processes, stores, or transmits credit card information. This is not a standard required by federal law but rather mandated by the credit card companies and administered by the Payment Card Industry Security Standards Council. Some states, however, directly reference either PCI DSS or an equivalent standard in their laws.
The PCI DSS standard has 6 goals, divided into 12 requirements:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Regularly Monitor and Test Network
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors.
You will notice that PCI DSS has fairly simple requirements, but one important point to remember is that PCI data often uses the same network infrastructure as other data in an organization. If the PCI data is not segmented, the whole network needs to be PCI DSS–compliant, which increases the cost and complexity of compliance. Hence, while the standard itself does not explicitly call for it, it is important to segment PCI data from other data. Segmentation can be achieved with traditional methods such as access lists and VLANs or with newer technologies, such as TrustSec.
Table 1 maps PCI DSS goals to relevant Cisco security products and technologies.
Table 1 PCI DSS and Cisco Security Product/Technologies
PCI DSS Goal | Cisco Security Products/ Technologies |
Build and Maintain a Secure Network | Cisco Firepower NGFW, Firepower NGIPS, ASA |
Protect Cardholder Data | Cisco VPN technologies on NGFW, ASA, and routers |
Maintain a Vulnerability Management Program | Cisco AMP |
Implement Strong Access Control Measures | Cisco ISE, TrustSec |
Regularly Monitor and Test Networks | NGFW, NGIPS, FMC, Stealthwatch |
Maintain an Information Security Policy | N/A |