managed network service provider...• pos vendor secure, remote access - for pos fixes &...
TRANSCRIPT
Managed
Network
Service
Provider
What You Need To Know
July 30, 2020
Agenda• Housekeeping
• Presenters
• About Conexxus
• Presentation
• Q & A
Conexxus: Managed Network Service Providers:
What You Need To Know2
HousekeepingThis webinar is being recorded and will be made available in approximately 7 days.
• YouTube (youtube.com/conexxusonline)
• Website Link (conexxus.org)
Slide Deck • Survey Link – Presentation provided at end
Participants• Ask questions via webinar interface
• Please, no vendor specific questions
• Our webinars may be used toward PCI continuing education credits. Please contact [email protected] for questions regarding a certificate of webinar attendance.
Email: [email protected]
Conexxus: Managed Network Service Providers:
What You Need To Know3
Presenters
Conexxus Host Moderator
Allie Russell Kara Gunderson
Standards Coordinator Chair, Data Security Committee
Conexxus CITGO Petroleum -
[email protected] Manager Payment Card Operations
Conexxus: Managed Network Service Providers:
What You Need To Know4
1. Tim Tang, Hughes Network
2. Dean Marier, Cybera
3. Simon Gamble, Mako Networks
4. Brian DuCharme, TNS
5. Brett Stewart, Acumera
6. Matt Nelson, AvaLAN
7. Alex Barclay, SageNet
8. Mark Carl, ControlScan
9. Ashwin Swamy, Omega
5Conexxus: Managed Network Service Providers:
What You Need To Know
Speakers
About Conexxus• We are an independent, non-profit, member driven
technology organization
• We set standards…– Data exchange
– Security
– Mobile commerce
• We provide vision– Identify emerging tech/trends
• We advocate for our industry– Technology is policy
Conexxus: Managed Network Service Providers:
What You Need To Know6
2020 Conexxus Webinar Schedule
Conexxus: Managed Network Service Providers:
What You Need To Know7
Month/Date Webinar Title Speaker Company
January 23, 2020How to elevate your business through digital
transformationDean Marier Cybera
February 27, 2020 Progress in the “API Sprint”Gray TaylorDavid Ezell
ConexxusConexxus
March 18, 2020 Data Security Beyond PCI: Securing the Enterprise
Ed AdamsMarc PunziruduKara Gunderson
Sam Pfanstiel
Security InnovationControlScan
CITGO PetroleumControlScan
April 2, 2020 Presentation by GS1 Liz Sertl GS1
May 7, 2020Breach response considerations for the convenience
store and petroleum marketTodd McClelland McDermott Will & Emery
July 16, 2020 PCI DSS Impact on COVID & Update on PCI DSS 4.0 Troy Leach PCI SSC
July 30, 2020POS Managed Network Service Program
What You Need to KnowMultiple Joint MNSP’s
Conexxus: Managed Network Service Providers:
What You Need To Know8
2020 Conexxus Webinar Schedule
Month/Date Webinar Title Speaker Company
August 27, 2020How an attacker bypasses network, software and
physical controlsGeoffrey Vaughan
Jeff GibsonSecurity Innovation
ControlScan
September 2020 TBD Scott Cheek SageNet
October 2020Ransomware Protection and how a Managed Security
Service Provider can help Oil & Gas Retailers from being the next target
Ajith Edakandi Hughes Network
November 2020 TBD Ash Swamy Omega
December 2020Enterprise data security best practices - Cybera
API webinar with David - Stuzo
January 2021Vulnerability & Patch Management – Retail
OperationsMultiple POS Vendors
Thank You to our 2020 Diamond Sponsors
Conexxus: Managed Network Service Providers:
What You Need To Know9
Managed
Network
Service
Provider
What You Need To Know
July 30, 2020
10Conexxus: Managed Network Service Providers:
What You Need To Know
What is an MNSP?
Managed Network Service Provider
• Firewall/security device - to protect payment data in a standardized manner
• POS Vendor secure, remote access - for POS fixes & troubleshooting
• Can be expanded to include secure connections for other internet devices &
services such as:
– Tank monitoring
– Back office PC
– Loyalty program connection to loyalty provider
– Mobile payment connection to mobile payment provider
11Conexxus: Managed Network Service Providers:
What You Need To Know
Why Do We Need To Use an MNSP?
Managed Network Service Provider
• Required with outdoor EMV software – POS vendors had to establish a timeframe to
start enforcing MNSP solution
• MNSP & EMV are not the same
• Use MNSP to add data security to avoid data breaches of payment card data
• Major Oil Companies and Major Retailers may require one or a few particular MNSP’s
to implement other brand programs such as loyalty, and for securing the network in a
particular manner
• Update Now! (Upgrade available before outdoor EMV software). POS Vendors have
announced End of Life for former POS Zone Routers
12Conexxus: Managed Network Service Providers:
What You Need To Know
Legacy
ArchitectureTim Tang
13 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
14
Site ControllerBackoffice PCEmployee Video SurveillanceTank GaugesDigital MenuboardsGuest/Employee Wi-Fi
Internet(cable, fiber, 4G/5G, VSAT, etc.)
Help Desk
Headquarters
Dialup
The Network Today
Conexxus: Managed Network Service Providers:
What You Need To Know
• More transaction data
• More handshakes
• Remote software updates
• Secure remote access
15
Growing Network Needs
Apps
SocialEngineering
New Network Needs for Outdoor EMV
Conexxus: Managed Network Service Providers:
What You Need To Know
16
LongCheckout Lines
Inefficient StoreOperations
Inconvenience
SlowTransactions
IneffectiveLoyalty
UnhappyCustomers
The Network Defines the Customer/Employee Experience
Conexxus: Managed Network Service Providers:
What You Need To Know
17
Batch
Transactional
Real-time
WA
N
Congestion
Traffic Shaping
Guarantee
available
bandwidth
Slow down
low priority
apps to fitTrack
available
bandwidth
Batch
Transactional
Real-time
WA
N
Congestion
No Traffic Shaping
Packet loss
High Latency
Retransmissions
SD-WAN Traffic Shaping Improves the Store Experience
Conexxus: Managed Network Service Providers:
What You Need To Know
POS
SD-WAN with LTE backup
Store NetworkVoIP
Security VideoGuest Wi-Fi
Employee Video Training
Internet
Internet Service Results
Business Grade “Sometimes it works, sometimes it doesn’t”
SD-WAN with LTE backup “Consistent application and POS transaction performance”
The New Norm: Backup and Consolidate
Conexxus: Managed Network Service Providers:
What You Need To Know18
Why Change?
Dean Marier
19 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
Why a POS Zone Router? What Transformed?Let’s Understand Why the Zone Router existed to begin with
• Standardized network deployments
• Segmented and secured payment zones from other LAN device zones
• Supported high-speed remote access
• Packaged with Verifone (Cisco ASA) and Gilbarco (RV042) POS
Zone Router Challenges • Lack of basic networking knowledge
• Loss of visibility and control
• Chain of Custody (Confidentiality, Integrity, Authenticity)
• POS Support Desk burden
• Increased cost of hardware and support
What was the first step in Transformation?• The Enhanced Zone Router (EZR)
• Replaced ASA at all new Verifone Commander deployments
Conexxus: Managed Network Service Providers:
What You Need To Know20
Why the movement to MNSP from EZR?
EZR Exposed New interests from• Brands Retail IT Marketing departments
• Merchants desire for high speed remote access; their own network needs
• PCI security concerns
• Other MNSP wanted to offer Zone Router/Firewall Services
• POS Service Technician community
MNSP as the next logical step• ASA, EZR, and RV042 required a lot to keep up with PCI, Software, and Networking
• POS Vendors are the POS experts
• Provided clear distinction of POS responsibility vs network/compliance
• Streamlined support, MNSP are the network and security experts
• MNSP can deliver changes to the market much faster (leverage them!)
• Enhanced support for outdoor EMV deployments
• Reduction in hardware costs and device footprint
Conexxus: Managed Network Service Providers:
What You Need To Know21
More Than MNSP
Simon Gamble
22 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
MNSP Solution Offers More Than MNSP
POS Segmentation Firewall Ruleset POS Vendor VPN
23 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
24 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
25 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
26 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
27 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
28 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
29 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
30 Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Solution Offers More Than MNSP
Basic Full-Featured
31 Conexxus: Managed Network Service Providers:
What You Need To Know
Digital
Transformation
Brian DuCharme
32 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
How MNSP Prepares Retailers for the Digital Transformation
Digital Transformation Trend 1: Technology is disrupting retail at every level
Digital Experiences
• Consumer Expectations
• Omnichannel
Always Connected
• Business Systems
• Customer UX
• Need for Data Insights
Applications for Everything
• Business Systems
• Customer Apps
33 Conexxus: Managed Network Service Providers:
What You Need To Know
Digital Transformation: Trend 2: Omnichannel experiences are more technically complex, requiring data communications to bridge in-person with digital Card-On-File/Cloud
Lots of Vendors
More to Monitor
Complicating Response &
Recovery
Training Challenges
Location vs. Corporate
Alternative Payments Connected Car Loyalty earn & burn Pay with points
Use of IoT Fraud prevention Consumer Engagement
34 Conexxus: Managed Network Service Providers:
What You Need To Know
Digital TransformationTrend 3: Consumer adoption of digital confirmed during TNS Global Survey
35
Generational Shift for Loyalty Programs Consumers receptive to pay for instore purchases in advance at the Dispenser
Conexxus: Managed Network Service Providers:
What You Need To Know
Digital
Transformation
Brett Stewart
36 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
How MNSP Prepares Retailers for the Digital Transformation
MNSP – Secure Entire Estate
37
A good MNSP can secure remote support, and• Legacy Payments, and emerging standards• Mobile Payments• Loyalty• Dispensers• Media• Menu Boards• Cooler/Freezer• Doors / Counters• Video surveillance• Environmental Controls• Energy Management
And Securely Egress…• Scan Analytics• Wetstock Telematics• Environmental Compliance• Food Safety Compliance
Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP – Bridge to Future
38
A properly segmented and managed store network is• Is easier to secure• Is economical to maintain• Can flexibly support new initiatives• Can free IT staff for core projects
Conexxus: Managed Network Service Providers:
What You Need To Know
Security
Matt Nelson
39 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
Security is a key factor. . .
Visibility Control Response
40 Conexxus: Managed Network Service Providers:
What You Need To Know
Visibility
• Realtime network visibility (office vs wire)
• Network Dash Boards
• Alert Systems
Security is a key factor. . .
41 Conexxus: Managed Network Service Providers:
What You Need To Know
Control
• Blocking viruses and spam
• Managed Firewalls
• Detecting intrusion attempts
• Setting up and securing a virtual
private network (VPN)
• Implementing system changes
or upgrades
Visibility
Security is a key factor. . .
42 Conexxus: Managed Network Service Providers:
What You Need To Know
Visibility
Response
• Structurally detect and reduce vulnerabilities in critical
systems
• Proactively predict threats, especially and specifically for
targeted cyberattacks
• Automatically detect important offensive tactics and
methods in critical systems
• Respond effectively and quickly
• Reduce the likelihood of an attack succeeding and
becoming an ‘event’ (potential data breach) that takes a
lot of time to control
Security is a key factor. . .
43 Conexxus: Managed Network Service Providers:
What You Need To Know
Visibility Control Response
Security is a key factor. . .
44 Conexxus: Managed Network Service Providers:
What You Need To Know
Security Outside
of MNSPAlex Barclay
45 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
Enterprise Security starts with MNSP
MNSP is PART of an Enterprise Security Program
• Strategic assessment of risks
• Provides security understanding to drive changes to technology,
vendors, processes, and operations
• PCI Compliance
MNSP addresses some C-store threats
• Designed to preserve confidentiality and integrity of POS Vendor traffic
• Helps implement common technical controls like firewalls and network
isolation and segmentation
46 Conexxus: Managed Network Service Providers:
What You Need To Know
Enterprise Security is more than MNSP
MNSP does NOT address
• Enterprise wide connectivity and isolations
• Data and entire network architecture
• Threats not targeted at POS data
• Risks outside the narrow MNSP scope
As an MNSP provider
• The MNSP follows requirements, set by the POS vendors, and have an
Enterprise Security Program
Enterprise Security Programs
• Assesses risks using frameworks like CIS Controls, NIST Cyber Security
Framework, ISO 27000 series and PCI Compliance
47 Conexxus: Managed Network Service Providers:
What You Need To Know
Enterprise Security
Frameworks • Collections of security controls
• Vary from tactical to strategic
• They are essential
– Common language and mappings
– Makes audits easier and cheaper
– Augments teams that don’t have deep security expertise
• CIS Controls – Tactical and actionable
• NIST Cybersecurity Framework – Strategic and vision
• ISO 27000 series – Detailed and international
• PCI Compliance – Required for merchants
48 Conexxus: Managed Network Service Providers:
What You Need To Know
Enterprise Security can be complex
49 Conexxus: Managed Network Service Providers:
What You Need To Know
Enterprise Security Services Augment MNSP
Low Hanging Fruit – Cost Effective + High Impact
• Vulnerability Scanning
• Penetration Testing
• Security Program Assessment and Design
• Identity and access
High Value – Enhanced Visibility + Control
• Security Log Collection, Analysis, and Escalations (SIEM)
• Cloud Security
50 Conexxus: Managed Network Service Providers:
What You Need To Know
Compliance
Mark Carl
51 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
Where is MNSP going?
MNSP for POS is going to continue to evolve
• Addresses Outdoor EMV needs
• Allowing rules to support Dispensers
• Accepting ability for self service management or 3rd Party support (VASC)
MNSP is about the service provider taking on more network functions
• Reducing hardware footprint in store is paramount
• 3rd party services providers (loyalty, mobile payments, Data Analytics, Back office) all
have remote access needs and want to avoid hardware as part of their service
• Look for more “MNSP” services to help with digital transformation
• MNSPs will help expose more areas for improvement for network and security
Conexxus: Managed Network Service Providers:
What You Need To Know52
PCI DSS Compliance Requirements
• 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.
• 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
53Conexxus: Managed Network Service Providers:
What You Need To Know
Best Practices
Choose an MNSP or other service provider that is
Level 1 compliant
• Reduces merchant responsibility for collecting
evidence and ensuring that compliance is met
• Reduces merchant scope
• Level 1 compliant MNSPs prove compliance by
sharing their Attestation of Compliance (AOC)
54Conexxus: Managed Network Service Providers:
What You Need To Know
Other Benefits• POS Vendors have extensive requirements for
connectivity for support on their devices
• A certified MNSP for these vendors has already been through the burden of being tested against those criteria and understands what is required explicitly
– Eliminates confusion and work for the merchant, as the connections just work
– If there are issues, the merchant has a trusted company they can contact in order to get it resolved, who understands the technology and its requirements and has experience with common issues. This reduces potential down time
55Conexxus: Managed Network Service Providers:
What You Need To Know
Site Preparedness
Ashwin Swamy
56 Conexxus: Managed Network Service Providers:
What You Need To Know
Managed
Network
Service
Provider
Making it easy on ourselves
57Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP implementation can be straightforward and fast – if you are prepared.
Troubleshooting costs
Downtime costs
Security gaps
Compatibility issues
Performance issues
Avoid these scenarios With site preparation
Physical Prep: identify obstacles
Network Prep: plan your network ahead
of time
Installation Prep: prepare for installation
day
Preparing your site for MNSP installation
58Conexxus: Managed Network Service Providers:
What You Need To Know
Physical Prep Network Prep Installation Prep
Physical site surveys can
help identify security gaps,
obstacles to smooth
implementation, and
opportunities for improved
network resilience.
Collecting network
information ahead of time will
help ensure that upgraded
MNSP routers are configured
properly for your site to
handle current and future
network requirements.
Coordination and alignment
between relevant onsite
personnel and IT vendors is
critical to facilitating a
smooth installation process.
CDE = Cardholder Data Environment
Physical Readiness Checklist
59Conexxus: Managed Network Service Providers:
What You Need To Know
Physical site surveys can help identify security gaps, obstacles to smooth
implementation, and opportunities for improved network resilience.
Assess site connectivity✓
Review placement of equipment✓
Review arrangement of all cabling✓
• Does the site have an existing cellular backup?
• What is the strength of cell signals for different carriers?
• Is the site planning any ISP upgrades? SD-WAN policies?
• Where are devices situated at each site?
• Sufficient airflow to prevent overheating or dust build up?
• Is equipment stacked, placed side-by-side, wall-mounted, etc.?
• Are devices easily identifiable?
• Are cables for each device identifiable? Are they labeled?
• How are cables arranged?
• Are any cables hanging loose or tangled?
Physical Readiness Checklist
60Conexxus: Managed Network Service Providers:
What You Need To Know
Assess electrical/power
infrastructure✓
Review physical security controls
(PCI DSS Requirement 9)
Take photos!✓
Physical site surveys can help identify security gaps, obstacles to smooth
implementation, and opportunities for improved network resilience.
• Are there sufficient power outlets available at the site?
• Do power strips have adequate surge protection?
• Do any devices use or require a battery backup?
• “Any physical access to data or systems that house
cardholder data provides the opportunity for individuals
to access devices or data and to remove systems or
hardcopies, and should be appropriately restricted.”
Network Readiness Checklist
61Conexxus: Managed Network Service Providers:
What You Need To Know
Create a device list✓
Determine segmentation
requirements✓
Create network diagrams for
each site configuration✓
Collecting network information ahead of time will help ensure that
upgraded MNSP routers are configured properly for your site to handle
current and future network requirements.
• Device lists for each site are accessible via your
current router or network service provider.
• Make sure each device is identifiable and that the
function is known. Consider devices to be added in
the future.
• Which devices should NOT be in the card data
environment? What additional segments will you need to
have defined?
• Network diagrams help technicians logically map
the network.
• Best practices: label segments, make sure
connections are easily identifiable, include a legend,
show current and planned devices.
Network Readiness Checklist
62Conexxus: Managed Network Service Providers:
What You Need To Know
Collecting network information ahead of time will help ensure that
upgraded MNSP routers are configured properly for your site to
handle current and future network requirements.
Identify special firewall rules and
communication requirements✓
Determine managed/dumb
switch needs ✓
• Identify special firewall rules and communication
requirements (e.g. DVR, car wash systems)
• Firewall rules can typically be found through your
current provider or the device manufacturer.
• Make note of all VPN connections
• Make note of additional switches that may need to
be added.
• Keep Outdoor EMV network requirements in mind.
Installation Readiness Checklist
63Conexxus: Managed Network Service Providers:
What You Need To Know
Coordination and alignment between relevant onsite personnel and IT
vendors is critical to facilitating a smooth installation process.
Collect Site Information✓
Communicate with Site Managers✓
Keep your IT partners informed✓
• Consolidated site information (e.g. site names,
addresses, key contacts, hours of operation) helps to
fast track deployment.
• Make sure store managers are kept fully apprised of
installation plans and are prepared for any disruptions
to regular business.
• During MNSP and outdoor EMV installations, make
sure key IT partners (POS, AHD, MNSP, ASC, etc.) are
aligned before, during, and after implementation.
MNSP Preparedness: Expedite Your Transition to
Outdoor EMV
64Conexxus: Managed Network Service Providers:
What You Need To Know
Physical Prep Network Prep Installation Prep
Physical site surveys can
help identify security gaps,
obstacles to smooth
implementation, and
opportunities for improved
network resilience.
Collecting network
information ahead of time will
help ensure that upgraded
MNSP routers are configured
properly for your site to
handle current and future
network requirements.
Coordination and alignment
between relevant onsite
personnel and IT vendors is
critical to facilitating a
smooth installation process.
CDE = Cardholder Data Environment
1. Tim Tang, Hughes Network
2. Dean Marier, Cybera
3. Simon Gamble, Mako Networks
4. Brian DuCharme, TNS
5. Brett Stewart, Acumera
6. Matt Nelson, AvaLAN
7. Alex Barclay, SageNet
8. Mark Carl, ControlScan
9. Ashwin Swamy, Omega
65 Conexxus: Managed Network Service Providers: What You Need To Know
Speakers
66
MNSP ResourcesVerifone MNSP website: Gilbarco MNSP website:
https://www.vfne.co/MNSP https://www.gilbarco.com/us/emv-migration-guide
Conexxus: Managed Network Service Providers:
What You Need To Know
MNSP Provider Website
Acumera https://info.acumera.net/acumera-mnsp-services
AvaLAN https://www.avalannetworks.com/managednetworkservices
ControlScan www.controlscan.com
Cybera www.cybera.com
Hughes https://Business.hughes.com/industries/retail-petroleum
Mako Networks www.makonetworks.com
Omega ATC http://www.omegaatc.com/MNSP
SageNet www.sagenet.com/industry/c-store/
TNS https://tnsi.com/emv-upgrade/
67
Other Resources
Conexxus: Managed Network Service Providers:
What You Need To Know
Conexxus Webinars – can you afford not to upgrade?:https://www.conexxus.org/webinars/emv-can-you-afford-not-upgrade-nacs-2019-show
Payment Card Industry Data Security Standards (PCI DSS):www.pcisecuritystandards.org
CIS Controls: https://www.cisecurity.org/controls/
NIST: www.nist.gov
ISO 27001: https://www.iso.org/isoiec-27001-information-security.html
Conexxus: Managed Network Service Providers:
What You Need To Know68
• Website: www.conexxus.org
• Email: [email protected]
• LinkedIn Profile: Conexxus.org
• Follow us on Twitter: @Conexxusonline
Conexxus: Managed Network Service Providers:
What You Need To Know
Conexxus Resources
69
DISCLAIMER: Conexxus does not endorse any products or services that may be described or mentioned in this presentation. The views and opinions expressed in this presentation are solely those of the speakers and not of Conexxus. By hosting this webinar, Conexxus is not providing any legal advice; if you have any questions about legal issues raised or discussed, you should seek the assistance of attorneys who are competent in that area.
Conexxus: Managed Network Service Providers:
What You Need To Know70