enforcing pci data security standard compliance...ncm/cas wap pos cash register mobile pos pos...

© 2008 Cisco Systems, Inc. All rights reserved. 1

Marco Misitano, CISSP, CISA, CISM

Business Development Manager – Security & VideoSurve illanceCisco Italy

Enforcing PCI Data Security Standard Compliance


The PCI Data Security Standard

� Published January 2005, ver 1.1 released Sept 7, 2006

� Impacts ALL whoProcess

Transmit

Store: cardholder data

� VISA Europe Account Information Security Programme(http://www.visaeurope.com/aboutvisa/security/ais/ai sprogramme.jsp )

Payment Card Industry Data Security Standard

January 2005


-Quarterly network scan recommended

- Annual self-assessment

< 20,000 VISA e-commerce transactions per year

Level 4 Merchants

- Quarterly network scan - Annual self-assessment

20,000 –1 million e-commercetransactions per year

Level 3 Merchants

-Quarterly networks scan - Annual self-assessment

1 million – 6 million transactions per year.

Level 2 Merchants

- Annual onsite PCI Data Security Assessment- Quarterly network scan

Processed > 6,000,000 Visa transactions per year, compromised in the last year, identified as Level 1 by another card brand.

Level 1 Merchants

RequirementCriteriaCategory

VISA PCI Categories of European Merchants

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp


- Quarterly network scan - Annual self-assessment

Any SP that is not in Level 1 and stores, processes or transmits <1 million accounts/transactions annually

Level 3 Service Provider

-Annual Onsite Security Audit

- Quarterly networks scan

Any SP that is not in Level 1 and stores, process or transmits >1 million VISA accounts/transactions annually


- Annual onsite Security Audit

- Quarterly network scan

All VisaNet processors, payment gateways, and Internet Payment Service Providers regardless of transaction volumes


RequirementCriteriaCategory

VISA PCI Categories of European Service Providers

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp


PCI Industry Updates

� US Level 1 Merchants Deadline is 30 Sept 2007; 65% are compliant (source: VISA US October 2007)

� European Merchant Deadline – 2008 ( source: VISA & American Express, October-November 2007)

� Impact of non-compliance = US Level 1 merchants US$25,000 per month fine or increase in credit card transaction fees


12. Maintain a policy that addresses information security

Maintain an Information Security Policy

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Regularly Monitor and Test Networks

7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Implement Strong Access Control Measures

5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications

Maintain a Vulnerability Management Program

3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks

Protect Cardholder Data

1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

Build and Maintain a Secure Network

The PCI Data Security Standard


Applying Self-Defending Network to PCI


Cisco PCI Validated ArchitecturesCisco Validated Design includes:

� Recommended architectures for networks, payment data at rest anddata in-transit.

� Testing in a simulated retail enterprise which include POS terminals, application servers, wireless devices, Internet connection and security systems.

� Configuration, monitoring, and authentication management systems.

� Architectural design guidance and audit review provided by PCI audit and remediation partners.

PCI Audit Partner:

Retail Solution Partners:

Validated DesignSmall Retail Store


WAN

Credit cardstorage

Network Environment Blue Print

Wireless device

REMOTE LOCATION INTERNETEDGE

ISRCatalystswitch

ASA

FWSMIDSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

CSA CSA

ASA

IronPort

AXG AXG


PCI Requirement 1

� Install and maintain a firewall configuration to protect data

–Configuration standards, documentation

–Segment card holder data from all other data

–FW to public connections (Inbound & Outbound)

–Wireless

–Personal Firewall


WAN

Credit cardstorage

Requirement 1: Install and maintain a firewall configuration to protect data

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

POS VLAN

Data VLAN

ASA

Card VLAN

CSA CSA

ISR

ASA

IronPort

AXG

AXG


PCI Requirement 2

� Do not use vendor-supplied defaults for system passwords and other security parameters

–Change vendor supplied defaults

–Wireless – change wireless vendor defaults, disable SS ID broadcasts, use WPA/WPA2

–Configuration standards for all system components

–Implement one primary function per server

–Disable all unnecessary and insecure services and protocols


WAN

Credit cardstorage

Requirement 2: Do not use vendor-supplied defaults for system settings

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

ASA

CSA CSA

ISR

ASA

IronPort

AXGAXG


PCI Requirement 2.1 for Wireless

� Verify that the Cisco Controller is, by default, configured for administrative restriction and AAA authentication for administrative users

� Verify that no default SSID is enabled on the WLC

� Disable/remove default SNMP strings of “public/private”

� Create new community strings

� Verify that default community strings are no longer accessible

� Configure administrative user either via initial controller setup script or via CLI

� Configure wireless system for WPA authentication

� Disable SSID Broadcast


PCI Requirement 2.3 for Wireless� Verify that the controller is enabled only for secure

management protocols

HTTPS (SSL) only

Telnet disabled

SNMPv1 disabled

SSH permitted

� Verify that administrative access is denied to users accessing over unpermitted interfaces/addresses and verify that only encrypted protocols are permitted


PCI Requirement 3

� Protect Stored Data

–Keep cardholder data storage to a minimum

–Do not store the full contents of any track from the magnetic stripe (also called full track, track, track 1, track 2 and magnetic stripe data), card-validation code or val ue, PIN

–Mask PAN when displayed, and render it unreadable when stored (hashed indexes, truncation, index tokens and pads, strong cryptography), disk encryption

–Document and implement key management processes


WAN

Credit cardstorage

Requirement 3: Protect Stored Data

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

CSA

CSA

ASA

CSA CSA

ISR

IronPort

AXG AXG


Protect Stored Data – From What?

� Cisco Security Agent (CSA) protects from

– copying cardholder information to removable media (USB sticks, CD ROMs, etc)

–Copying cardholder information to different file format s

–Printing cardholder information

–Saving information to a local machine

� Plus typical worm/virus protection (think e-commerc e)


PCI Requirement 4

� Encrypt transmission of cardholder data across open, public networks

–Use SSL/TLS or IPSec, WPA for wireless

–If using WEP;

• Use with a minimum 104-bit encryption key and 24 bi t-initialization value

•Use ONLY in conjunction with WPA/WPA2, VPN or SSL/TLS

•Rotate shared WEP keys quarterly (or automatically)

•Restrict access based on MAC address

–Never send unencrypted PANs by e-mail


WAN

Credit cardstorage

Requirement 4: Encrypt transmission of cardholder data across public networks

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

ASA

CSA CSA

ISR

IronPort

AXG AXG


PCI Requirement 5

� Use and regularly update anti-virus software or programs

–Deploy anti-virus software on all systems commonly affected by viruses

–AV programs capable of detecting, removing, and protecting against all forms of malicious software, including spyware and adware

–Ensure that all AV mechanisms are current, actively running, and capable of generating audit logs


WAN

Credit cardstorage

Requirement 5: Use and Regularly update anti-virus software

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA

CSA

ISR

IronPort

AXG AXG


PCI Requirement 6

� Develop and maintain secure systems and applications–Systems and software have latest vendor-supplied se curity patches installed. Install relevant security patches within one month of release

–Establish process to identify new security vulnerabil ities (subscribe to alert services, etc)

–Develop SW applications based on industry best practi ces and incorporate security throughout SW development lifecycle

–Develop web application based on secure coding guidelines such as the Open Web Application Security Project

–Web-facing applications are protected against known attacks by installing an application layer firewall i n front of web-facing applications, or review application code b y a specialized application security organizations


WAN

Credit cardstorage

Requirement 6: Develop and maintain secure systems and applications

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA CSA

ISR

IronPort

AXG AXG

CSA


PCI Requirement 7

� Restrict access to cardholder data by business need-to-know

–Limit access to computing resources and cardholder information only to those individuals whose job requ ires such access

–Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.


WAN

Credit cardstorage

Requirement 7: Restrict access to data by business need-to-know

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA

CSA CSA

ISR

IronPort

AXG AXG


PCI Requirement 8

� Assign a unique ID to each person with computer access

–Identify all users with a unique user name before allo wing access to system components or cardholder data

–In addition, employ one method of authentication (password, token devices [SecureID, certificates or p ublic key], biometrics)

–Implement 2-factor authentication

–Encrypt all passwords during transmission and storage


WAN

Credit cardstorage

Requirement 8: Assign a unique ID to each person with computer access

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA CSA

ISR

IronPort

AXG AXG


PCI Requirement 9

� Restrict physical access to cardholder data

–Facility entry controls and monitor physical access t o systems that store, process or transmit cardholer data

•Cameras to monitor sensitive areas

•Restrict physical access to network jacks, wireless access points, gateways, and handheld devices

–Distinguish between employees and visitors

–Visitor log in, physical token, authorization before entering area

–Physically secure card holder data media

–Destroy media when it is no longer needed


PCI Requirement 10

� Track and monitor all access to network resources and cardholder data

–Implement automated audit trails

–Record audit trail entries

–Secure audit trails so they cannot be altered

–Review logs for all system components at least daily

–Destroy media when it is no longer needed

–Retain audit trail history for at least one year, with a minimum of three months online availability


WAN

Credit cardstorage

Requirement 10: Track and Monitor all access to network and cardholder data

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA CSA

ISR

IronPort

AXG AXG


Event is also logged in CS-MARSFor yourreference


CS-MARS Events for PCI/CobiTCompliance Tracking

Network Usage - Top Destination Ports

Network Usage Inbound - Top Ports

Network Usage Inbound - Top Destinations

Network Usage Outbound - Top Ports

Network Usage Outbound - Top Destinations

Denies Inbound - Top Destination Ports

Denies Inbound - Top Destinations

Denies Inbound - Top Sources

Denies Outbound - Top Destination Ports

Denies Outbound - Top Destinations

Denies Outbound - Top Sources

Attacks Prevented - Top Reporting Devices

Concurrent Connections - Top Devices

MARS ReportsDS 5.20 FW Architectures

1. Firewall

CobiTPCI

For yourreference


PCI Requirement 11

� Regularly test security systems and processes

–Use a wireless analyzer at least quarterly to identif y all wireless devices in use

–Run internal and external network vulnerability scans at least quarterly and after any significant change in t he network

–Perform penetration testing at least once a year and af ter any significant upgrade or modification

–Use NIDS/IPS, HIDS/HIPS

–Deploy file integrity monitoring software to perform c ritical file comparisons at least weekly


WAN

Credit cardstorage

Requirement 11: Regularly test security systems and processes

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA CSA

ISR

IronPort

AXG AXG


PCI Requirement 12

� Maintain a policy that addresses information security for employees and contractors

–Establish, publish, maintain, and disseminate a sec urity policy

–Develop usage policies for critical employee-facing technologies

–Implement a security awareness program

–Implement an incident response plan

–If cardholder data is shared with service providers, th e SP must adhere to the PCI DSS requirements


WAN

Credit cardstorage

Requirement 12: Maintain a policy that addresses information security

Wireless device


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

CSA

WAP

E-commerce

ASA

7200/7300

WAP

POS Cash Register

Mobile POS

POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSANCM/CAS

CSA CSA

ISR

IronPort

AXG AXG


WAN

Credit cardstorage

Cisco Solution for PCI

Wireless device


ISR

� switch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500 switch

CSA

E-commerce

ASA

7300 router

WAP

POS Terminal POS Server

Store Worker PC

NETWORK MGMT CENTER

DATA CENTER

Cisco Security Management

ACS

WAP1200

ASA 5500

Cisco SecurityAgent (CSA)

Requirement 1Requirement 2Requirement 3



Requirement 10Requirement 11Requirement 12Requirement 12

��

��

��

��

��

�

� ��

��

��

��

��

��

��

��

CSA

�

��CSA

��

IronPort

AXG

AXG

��

��

��

NCM/CAS

��

�

��


NCM PCI Requirement 2 status


NCM Requirement 4 statusFor yourreference


NCM Requirement 7, 8 statusFor yourreference


NCM Requirement10 statusFor yourreference


NCM Requirement 11 status


Summary - Key Take Aways

� PCI is moving rapidly to global importance

� PCI Compliance encompasses Security Best Practices

� Work closely with Approved Scan Vendor and Qualified Security Assessor to understand expectations

� Use Cisco’s PCI Validated Architectures as a guide to ease design and implementation


More Information

� Cisco Compliance informationhttp://www.cisco.com/go/compliance

http://www.cisco.com/go/retail

� VISA Cardholder Information Security Programhttp://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp

� MasterCard PCI Merchant Educationhttp://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html

� PCI Security Standards Councilhttps://www.pcisecuritystandards.org/

enforcing pci data security standard compliance...ncm/cas wap pos cash register mobile pos pos...

Documents