Comments on: Cisco and Cybertrust team up on PCIDSS

By: Townsend Networks

Townsend Networks — Mon, 23 Jul 2007 18:44:15 +0000

Everyone wants a magic pill. The problem, as stated above, is there’s no one size solution that fits all users.

By: Can you hear the vendors blogging? at PCI and Data Security Compliance

Can you hear the vendors blogging? at PCI and Data Security Compliance — Sun, 25 Feb 2007 04:03:07 +0000

[...] has been in the news? Michael Farnum writes about the Cisco and CyberTrust partnership on PCI DSS compliance which was echod by Martin McKeay at Computer World US. This story was then picked up by Computer [...]

By: An Information Security Place » Blog Archive » A Cybertrust response to my Cisco/Cybertrust PCIDSS post

Mon, 29 Jan 2007 04:41:56 +0000

[...] I received an email from Thomas Frazier, Product Strategy Manager at Cybertrust, in response to my post regarding the Cisco / Cybertrust PCIDSS partnership. I have not had time to study the response closely, so I am merely posting it here now. I will read it more closely later and respond as I have time. In regards to the Computerworld story, I would like to clarify some information that was not included in the story. Regarding the relationship between Cybertrust and Cisco, Cybertrust — like other security professionals — is the first to acknowledge that it is the implementation of PCI DSS that helps organisations achieve compliance, and not the products that are purchased. As the PCI DSS covers everything from building a secure network to maintaing a security policy to protecting cardholder data, it is important to place the Secure Store solution in the proper context. Large, medium and small retailers can use Secure Store reference architectures as a means to reduce the amount of remediation and assessment effort required to become compliant. Cybertrust has certified PCI assessors, myself included, around the globe who provide a consultative approach to PCI. We were engaged by Cisco based on our reputation in the PCI and compliance space. To my knowledge this is the only offering where extensive work has been done to align reference architectures against this standard. I believe that this initiative from Cisco was driven by the merchant and service provider community looking for help from the security industry in regards to PCI. Secure Store is Cisco’s response to that. [...]

By: Network Management Links for 2007-01-25 - Network Management Evolution - Because change is inevitable

Fri, 26 Jan 2007 19:42:05 +0000

[...] An Information Security Place Â» Blog Archive Â» Cisco and Cybertrust team up on PCIDSS “Seems like Cisco has partnered with Cybertrust in creating some kind of PCI-geared hardware package / solution. Cybertrust is supposedly giving this amorphous hardware blob (I guess a hardware package can be customized for each scenario) the PCI checkmark.” [...]

By: Michael Farnum

Michael Farnum — Thu, 25 Jan 2007 16:55:18 +0000

My issue is that they never state that it is a certain hardware package or how the process will really work. They just say it is some group of hardware that Cybertrust will give a checkmark to and say it is good for PCI. No, they don’t state that this is a PCI silver bullet, but when these types of packages get sold, customers tend to think they are a silver bullet, even if all the disclaimers say they are not. It is a dangerous game, and yes, it is a marketing ploy to get Cisco and Cybertrust in the door. I never said it was a bad play, just dangerous to the customer.

A MUCH better approach is to have a certified auditor / assessor come in and review your compliance program from the top and map it down to the bottom, which is technology. Starting with technology is a VERY bad idea. Maybe I should have said that in my post, but I have been kinda cranky lately.

By: SamVR

SamVR — Thu, 25 Jan 2007 16:43:32 +0000

It is common sense that you can’t just buy a product and be compliant. (At least, I *hope* that it’s common sense!)

Maybe I missed something, but I don’t really think they were implying they are the silver bullet. They say “…provide guidelines that help retailers manage…” (keyword ‘help) not “provides PCI compliance”. The previous sentence to that does make it a bit confusing, though. Not that I want to help them out, given I compete with Cybertrust.

Marketing is truly becoming more of a political game than an art.

By: Michael Farnum

Michael Farnum — Thu, 25 Jan 2007 15:18:52 +0000

Simon,

Rambling is welcome here, but I would hardly classify your comment as rambling. Great thoughts.

Michael

By: simon

simon — Thu, 25 Jan 2007 15:15:29 +0000

I’m a PCI auditor, and I agree if any client thinks they can simply buy a PCI compliant environment, they are sorely mistaken. There is much more to the PCI DSS than implementing technology. In fact, very little of the standard makes reference to specific products, and much emphasis is placed upon policy and practice. I’m sure some vendors wish they could get a mention within the standard!

I imagine that any PCI auditing company who provides onsite PCI audits *and* also profits from selling hardware solutions in the name of PCI compliance would have to be very, very careful not to fall foul of the strict ethical rules imposed upon all Visa Qualified Security Assessors (QSAs)

I don’t know if Alan was serious or not, but his reference to Qualys being some kind of exception to this is incorrect. They sell/resell a PCI approved automated scanning service, as do many other vendors. Note that this is different to the on-site auditing process that larger merchants and service providers are obliged to submit to.

Any vendor (such as Qualys) who sells a scanning service has to subject their scanning solution yearly to a live test, set by PCICO/Mastercard (and pay a fee). This enables the vendor to offer a scanning service to clients, which will confirm if the clients external network is PCI Compliant. External scanning of this kind is mandatory for all merchants and service providers, whereas only the larger merchants and service providers require an on-site audit.

Big comment, sorry for the rambling

By: Thomas Frazier

Thomas Frazier — Thu, 25 Jan 2007 00:07:12 +0000

In regards to the Computerworld story, I would like to clarify some information that was not included in the story. Regarding the relationship between Cybertrust and Cisco, Cybertrust — like other security professionals — is the first to acknowledge that it is the implementation of PCI DSS that helps organisations achieve compliance, and not the products that are purchased. As the PCI DSS covers everything from building a secure network to maintaing a security policy to protecting cardholder data, it is important to place the Secure Store solution in the proper context. Large, medium and small retailers can use Secure Store reference architectures as a means to reduce the amount of remediation and assessment effort required to become compliant. Cybertrust has certified PCI assessors, myself included, around the globe who provide a consultative approach to PCI. We were engaged by Cisco based on our reputation in the PCI and compliance space. To my knowledge this is the only offering where extensive work has been done to align reference architectures against this standard. I believe that this initiative from Cisco was driven by the merchant and service provider community looking for help from the security industry in regards to PCI. Secure Store is Cisco’s response to that.

By: LonerVamp

LonerVamp — Wed, 24 Jan 2007 16:00:17 +0000

The people people that buy that stuff will be the same people who stare wide-eyed with surprise when they still get subjected to a security incident or data theft issue that costs them millions. :\ “But we have this magical device that makes us compliant and safe?”