Cisco and Cybertrust team up on PCIDSS
on January 23rd, 2007 at 8:00 pmSeems like Cisco has partnered with Cybertrust in creating some kind of PCI-geared hardware package / solution. Cybertrust is supposedly giving this amorphous hardware blob (I guess a hardware package can be customized for each scenario) the PCI checkmark. OK, so which company is going to purchase this package for its stores and tell its auditors, “we’re PCI complaint because we bought this crap”?
From their news release:
Part of the Cisco PCI Solution for Retail, a set of recommended and audited network architectures that can be tailored for each retailer’s specific store footprint and application needs, Cybertrust has provided its PCI subject matter expertise to validate that the Cisco solutions are optimized for PCI compliance. The Cisco PCI Solution architectures provide guidelines that help retailers manage the complexities associated with the PCI Data Security Standard.
Rrrrriiiiight….
Computerworld Australia warns against this as well.
Vet
Everyone wants a magic pill. The problem, as stated above, is there’s no one size solution that fits all users.
My issue is that they never state that it is a certain hardware package or how the process will really work. They just say it is some group of hardware that Cybertrust will give a checkmark to and say it is good for PCI. No, they don’t state that this is a PCI silver bullet, but when these types of packages get sold, customers tend to think they are a silver bullet, even if all the disclaimers say they are not. It is a dangerous game, and yes, it is a marketing ploy to get Cisco and Cybertrust in the door. I never said it was a bad play, just dangerous to the customer.
A MUCH better approach is to have a certified auditor / assessor come in and review your compliance program from the top and map it down to the bottom, which is technology. Starting with technology is a VERY bad idea. Maybe I should have said that in my post, but I have been kinda cranky lately.
It is common sense that you can’t just buy a product and be compliant. (At least, I *hope* that it’s common sense!)
Maybe I missed something, but I don’t really think they were implying they are the silver bullet. They say “…provide guidelines that help retailers manage…” (keyword ‘help) not “provides PCI compliance”. The previous sentence to that does make it a bit confusing, though. Not that I want to help them out, given I compete with Cybertrust.
Marketing is truly becoming more of a political game than an art.
Simon,
Rambling is welcome here, but I would hardly classify your comment as rambling. Great thoughts.
Michael
I’m a PCI auditor, and I agree if any client thinks they can simply buy a PCI compliant environment, they are sorely mistaken. There is much more to the PCI DSS than implementing technology. In fact, very little of the standard makes reference to specific products, and much emphasis is placed upon policy and practice. I’m sure some vendors wish they could get a mention within the standard!
I imagine that any PCI auditing company who provides onsite PCI audits *and* also profits from selling hardware solutions in the name of PCI compliance would have to be very, very careful not to fall foul of the strict ethical rules imposed upon all Visa Qualified Security Assessors (QSAs)
I don’t know if Alan was serious or not, but his reference to Qualys being some kind of exception to this is incorrect. They sell/resell a PCI approved automated scanning service, as do many other vendors. Note that this is different to the on-site auditing process that larger merchants and service providers are obliged to submit to.
Any vendor (such as Qualys) who sells a scanning service has to subject their scanning solution yearly to a live test, set by PCICO/Mastercard (and pay a fee). This enables the vendor to offer a scanning service to clients, which will confirm if the clients external network is PCI Compliant. External scanning of this kind is mandatory for all merchants and service providers, whereas only the larger merchants and service providers require an on-site audit.
Big comment, sorry for the rambling
In regards to the Computerworld story, I would like to clarify some information that was not included in the story. Regarding the relationship between Cybertrust and Cisco, Cybertrust — like other security professionals — is the first to acknowledge that it is the implementation of PCI DSS that helps organisations achieve compliance, and not the products that are purchased. As the PCI DSS covers everything from building a secure network to maintaing a security policy to protecting cardholder data, it is important to place the Secure Store solution in the proper context. Large, medium and small retailers can use Secure Store reference architectures as a means to reduce the amount of remediation and assessment effort required to become compliant. Cybertrust has certified PCI assessors, myself included, around the globe who provide a consultative approach to PCI. We were engaged by Cisco based on our reputation in the PCI and compliance space. To my knowledge this is the only offering where extensive work has been done to align reference architectures against this standard. I believe that this initiative from Cisco was driven by the merchant and service provider community looking for help from the security industry in regards to PCI. Secure Store is Cisco’s response to that.
The people people that buy that stuff will be the same people who stare wide-eyed with surprise when they still get subjected to a security incident or data theft issue that costs them millions. :\ “But we have this magical device that makes us compliant and safe?”
Michael- I tried to track back to your article but I can’t seem to get it to work. Anyway, I agree with you 100% on this one. I don’t think there is a rubber stamp that will make you PCI compliant and people looking for one will be disappointed. You can read more about what I said here: http://www.stillsecureafteralltheseyears.com/ashimmy/2007/01/farnum_getting_.html