managed network service provider...• pos vendor secure, remote access - for pos fixes &...

Managed

Network

Service

Provider

What You Need To Know

July 30, 2020

Agenda• Housekeeping

• Presenters

• About Conexxus

• Presentation

• Q & A

Conexxus: Managed Network Service Providers:

What You Need To Know2

HousekeepingThis webinar is being recorded and will be made available in approximately 7 days.

• YouTube (youtube.com/conexxusonline)

• Website Link (conexxus.org)

Slide Deck • Survey Link – Presentation provided at end

Participants• Ask questions via webinar interface

• Please, no vendor specific questions

• Our webinars may be used toward PCI continuing education credits. Please contact [email protected] for questions regarding a certificate of webinar attendance.

Email: [email protected]



mailto:[email protected]

Presenters

Conexxus Host Moderator

Allie Russell Kara Gunderson

Standards Coordinator Chair, Data Security Committee

Conexxus CITGO Petroleum -

[email protected] Manager Payment Card Operations

[email protected]





1. Tim Tang, Hughes Network

2. Dean Marier, Cybera

3. Simon Gamble, Mako Networks

4. Brian DuCharme, TNS

5. Brett Stewart, Acumera

6. Matt Nelson, AvaLAN

7. Alex Barclay, SageNet

8. Mark Carl, ControlScan

9. Ashwin Swamy, Omega

5Conexxus: Managed Network Service Providers:


Speakers

About Conexxus• We are an independent, non-profit, member driven

technology organization

• We set standards…– Data exchange

– Security

– Mobile commerce

• We provide vision– Identify emerging tech/trends

• We advocate for our industry– Technology is policy



2020 Conexxus Webinar Schedule



Month/Date Webinar Title Speaker Company

January 23, 2020How to elevate your business through digital

transformationDean Marier Cybera

February 27, 2020 Progress in the “API Sprint”Gray TaylorDavid Ezell

ConexxusConexxus

March 18, 2020 Data Security Beyond PCI: Securing the Enterprise

Ed AdamsMarc PunziruduKara Gunderson

Sam Pfanstiel

Security InnovationControlScan

CITGO PetroleumControlScan

April 2, 2020 Presentation by GS1 Liz Sertl GS1

May 7, 2020Breach response considerations for the convenience

store and petroleum marketTodd McClelland McDermott Will & Emery

July 16, 2020 PCI DSS Impact on COVID & Update on PCI DSS 4.0 Troy Leach PCI SSC

July 30, 2020POS Managed Network Service Program

What You Need to KnowMultiple Joint MNSP’s



2020 Conexxus Webinar Schedule

Month/Date Webinar Title Speaker Company

August 27, 2020How an attacker bypasses network, software and

physical controlsGeoffrey Vaughan

Jeff GibsonSecurity Innovation

ControlScan

September 2020 TBD Scott Cheek SageNet

October 2020Ransomware Protection and how a Managed Security

Service Provider can help Oil & Gas Retailers from being the next target

Ajith Edakandi Hughes Network

November 2020 TBD Ash Swamy Omega

December 2020Enterprise data security best practices - Cybera

API webinar with David - Stuzo

January 2021Vulnerability & Patch Management – Retail

OperationsMultiple POS Vendors

Thank You to our 2020 Diamond Sponsors



Managed

Network

Service

Provider


July 30, 2020



What is an MNSP?

Managed Network Service Provider

• Firewall/security device - to protect payment data in a standardized manner

• POS Vendor secure, remote access - for POS fixes & troubleshooting

• Can be expanded to include secure connections for other internet devices &

services such as:

– Tank monitoring

– Back office PC

– Loyalty program connection to loyalty provider

– Mobile payment connection to mobile payment provider



Why Do We Need To Use an MNSP?

Managed Network Service Provider

• Required with outdoor EMV software – POS vendors had to establish a timeframe to

start enforcing MNSP solution

• MNSP & EMV are not the same

• Use MNSP to add data security to avoid data breaches of payment card data

• Major Oil Companies and Major Retailers may require one or a few particular MNSP’s

to implement other brand programs such as loyalty, and for securing the network in a

particular manner

• Update Now! (Upgrade available before outdoor EMV software). POS Vendors have

announced End of Life for former POS Zone Routers



Legacy

ArchitectureTim Tang

13 Conexxus: Managed Network Service Providers:


Managed

Network

Service

Provider

14

Site ControllerBackoffice PCEmployee Video SurveillanceTank GaugesDigital MenuboardsGuest/Employee Wi-Fi

Internet(cable, fiber, 4G/5G, VSAT, etc.)

Help Desk

Headquarters

Dialup

The Network Today



• More transaction data

• More handshakes

• Remote software updates

• Secure remote access

15

Growing Network Needs

Apps

SocialEngineering

New Network Needs for Outdoor EMV



16

LongCheckout Lines

Inefficient StoreOperations

Inconvenience

SlowTransactions

IneffectiveLoyalty

UnhappyCustomers

The Network Defines the Customer/Employee Experience



17

Batch

Transactional

Real-time

WA

N

Congestion

Traffic Shaping

Guarantee

available

bandwidth

Slow down

low priority

apps to fitTrack

available

bandwidth

Batch

Transactional

Real-time

WA

N

Congestion

No Traffic Shaping

Packet loss

High Latency

Retransmissions

SD-WAN Traffic Shaping Improves the Store Experience



POS

SD-WAN with LTE backup

Store NetworkVoIP

Security VideoGuest Wi-Fi

Employee Video Training

Internet

Internet Service Results

Business Grade “Sometimes it works, sometimes it doesn’t”

SD-WAN with LTE backup “Consistent application and POS transaction performance”

The New Norm: Backup and Consolidate



Why Change?

Dean Marier



Managed

Network

Service

Provider

Why a POS Zone Router? What Transformed?Let’s Understand Why the Zone Router existed to begin with

• Standardized network deployments

• Segmented and secured payment zones from other LAN device zones

• Supported high-speed remote access

• Packaged with Verifone (Cisco ASA) and Gilbarco (RV042) POS

Zone Router Challenges • Lack of basic networking knowledge

• Loss of visibility and control

• Chain of Custody (Confidentiality, Integrity, Authenticity)

• POS Support Desk burden

• Increased cost of hardware and support

What was the first step in Transformation?• The Enhanced Zone Router (EZR)

• Replaced ASA at all new Verifone Commander deployments



Why the movement to MNSP from EZR?

EZR Exposed New interests from• Brands Retail IT Marketing departments

• Merchants desire for high speed remote access; their own network needs

• PCI security concerns

• Other MNSP wanted to offer Zone Router/Firewall Services

• POS Service Technician community

MNSP as the next logical step• ASA, EZR, and RV042 required a lot to keep up with PCI, Software, and Networking

• POS Vendors are the POS experts

• Provided clear distinction of POS responsibility vs network/compliance

• Streamlined support, MNSP are the network and security experts

• MNSP can deliver changes to the market much faster (leverage them!)

• Enhanced support for outdoor EMV deployments

• Reduction in hardware costs and device footprint



More Than MNSP

Simon Gamble



Managed

Network

Service

Provider

MNSP Solution Offers More Than MNSP

POS Segmentation Firewall Ruleset POS Vendor VPN




Basic Full-Featured



Digital

Transformation

Brian DuCharme



Managed

Network

Service

Provider

How MNSP Prepares Retailers for the Digital Transformation

Digital Transformation Trend 1: Technology is disrupting retail at every level

Digital Experiences

• Consumer Expectations

• Omnichannel

Always Connected

• Business Systems

• Customer UX

• Need for Data Insights

Applications for Everything

• Business Systems

• Customer Apps



Digital Transformation: Trend 2: Omnichannel experiences are more technically complex, requiring data communications to bridge in-person with digital Card-On-File/Cloud

Lots of Vendors

More to Monitor

Complicating Response &

Recovery

Training Challenges

Location vs. Corporate

Alternative Payments Connected Car Loyalty earn & burn Pay with points

Use of IoT Fraud prevention Consumer Engagement



Digital TransformationTrend 3: Consumer adoption of digital confirmed during TNS Global Survey

35

Generational Shift for Loyalty Programs Consumers receptive to pay for instore purchases in advance at the Dispenser



Digital

Transformation

Brett Stewart



Managed

Network

Service

Provider

How MNSP Prepares Retailers for the Digital Transformation

MNSP – Secure Entire Estate

37

A good MNSP can secure remote support, and• Legacy Payments, and emerging standards• Mobile Payments• Loyalty• Dispensers• Media• Menu Boards• Cooler/Freezer• Doors / Counters• Video surveillance• Environmental Controls• Energy Management

And Securely Egress…• Scan Analytics• Wetstock Telematics• Environmental Compliance• Food Safety Compliance



MNSP – Bridge to Future

38

A properly segmented and managed store network is• Is easier to secure• Is economical to maintain• Can flexibly support new initiatives• Can free IT staff for core projects



Security

Matt Nelson



Managed

Network

Service

Provider

Security is a key factor. . .

Visibility Control Response



Visibility

• Realtime network visibility (office vs wire)

• Network Dash Boards

• Alert Systems




Control

• Blocking viruses and spam

• Managed Firewalls

• Detecting intrusion attempts

• Setting up and securing a virtual

private network (VPN)

• Implementing system changes

or upgrades

Visibility




Visibility

https://www.infradata.com/services-solutions/managed-services/managed-firewall/

Response

• Structurally detect and reduce vulnerabilities in critical

systems

• Proactively predict threats, especially and specifically for

targeted cyberattacks

• Automatically detect important offensive tactics and

methods in critical systems

• Respond effectively and quickly

• Reduce the likelihood of an attack succeeding and

becoming an ‘event’ (potential data breach) that takes a

lot of time to control




Visibility Control Response




Security Outside

of MNSPAlex Barclay



Managed

Network

Service

Provider

Enterprise Security starts with MNSP

MNSP is PART of an Enterprise Security Program

• Strategic assessment of risks

• Provides security understanding to drive changes to technology,

vendors, processes, and operations

• PCI Compliance

MNSP addresses some C-store threats

• Designed to preserve confidentiality and integrity of POS Vendor traffic

• Helps implement common technical controls like firewalls and network

isolation and segmentation



Enterprise Security is more than MNSP

MNSP does NOT address

• Enterprise wide connectivity and isolations

• Data and entire network architecture

• Threats not targeted at POS data

• Risks outside the narrow MNSP scope

As an MNSP provider

• The MNSP follows requirements, set by the POS vendors, and have an

Enterprise Security Program

Enterprise Security Programs

• Assesses risks using frameworks like CIS Controls, NIST Cyber Security

Framework, ISO 27000 series and PCI Compliance



Enterprise Security

Frameworks • Collections of security controls

• Vary from tactical to strategic

• They are essential

– Common language and mappings

– Makes audits easier and cheaper

– Augments teams that don’t have deep security expertise

• CIS Controls – Tactical and actionable

• NIST Cybersecurity Framework – Strategic and vision

• ISO 27000 series – Detailed and international

• PCI Compliance – Required for merchants



Enterprise Security can be complex



Enterprise Security Services Augment MNSP

Low Hanging Fruit – Cost Effective + High Impact

• Vulnerability Scanning

• Penetration Testing

• Security Program Assessment and Design

• Identity and access

High Value – Enhanced Visibility + Control

• Security Log Collection, Analysis, and Escalations (SIEM)

• Cloud Security



Compliance

Mark Carl



Managed

Network

Service

Provider

Where is MNSP going?

MNSP for POS is going to continue to evolve

• Addresses Outdoor EMV needs

• Allowing rules to support Dispensers

• Accepting ability for self service management or 3rd Party support (VASC)

MNSP is about the service provider taking on more network functions

• Reducing hardware footprint in store is paramount

• 3rd party services providers (loyalty, mobile payments, Data Analytics, Back office) all

have remote access needs and want to avoid hardware as part of their service

• Look for more “MNSP” services to help with digital transformation

• MNSPs will help expose more areas for improvement for network and security



PCI DSS Compliance Requirements

• 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.

• 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.



Best Practices

Choose an MNSP or other service provider that is

Level 1 compliant

• Reduces merchant responsibility for collecting

evidence and ensuring that compliance is met

• Reduces merchant scope

• Level 1 compliant MNSPs prove compliance by

sharing their Attestation of Compliance (AOC)



Other Benefits• POS Vendors have extensive requirements for

connectivity for support on their devices

• A certified MNSP for these vendors has already been through the burden of being tested against those criteria and understands what is required explicitly

– Eliminates confusion and work for the merchant, as the connections just work

– If there are issues, the merchant has a trusted company they can contact in order to get it resolved, who understands the technology and its requirements and has experience with common issues. This reduces potential down time



Site Preparedness

Ashwin Swamy



Managed

Network

Service

Provider

Making it easy on ourselves



MNSP implementation can be straightforward and fast – if you are prepared.

Troubleshooting costs

Downtime costs

Security gaps

Compatibility issues

Performance issues

Avoid these scenarios With site preparation

Physical Prep: identify obstacles

Network Prep: plan your network ahead

of time

Installation Prep: prepare for installation

day

Preparing your site for MNSP installation



Physical Prep Network Prep Installation Prep

Physical site surveys can

help identify security gaps,

obstacles to smooth

implementation, and

opportunities for improved

network resilience.

Collecting network

information ahead of time will

help ensure that upgraded

MNSP routers are configured

properly for your site to

handle current and future

network requirements.

Coordination and alignment

between relevant onsite

personnel and IT vendors is

critical to facilitating a

smooth installation process.

CDE = Cardholder Data Environment

Physical Readiness Checklist



Physical site surveys can help identify security gaps, obstacles to smooth

implementation, and opportunities for improved network resilience.

Assess site connectivity✓

Review placement of equipment✓

Review arrangement of all cabling✓

• Does the site have an existing cellular backup?

• What is the strength of cell signals for different carriers?

• Is the site planning any ISP upgrades? SD-WAN policies?

• Where are devices situated at each site?

• Sufficient airflow to prevent overheating or dust build up?

• Is equipment stacked, placed side-by-side, wall-mounted, etc.?

• Are devices easily identifiable?

• Are cables for each device identifiable? Are they labeled?

• How are cables arranged?

• Are any cables hanging loose or tangled?

Physical Readiness Checklist



Assess electrical/power

infrastructure✓

Review physical security controls

(PCI DSS Requirement 9)

Take photos!✓

Physical site surveys can help identify security gaps, obstacles to smooth

implementation, and opportunities for improved network resilience.

• Are there sufficient power outlets available at the site?

• Do power strips have adequate surge protection?

• Do any devices use or require a battery backup?

• “Any physical access to data or systems that house

cardholder data provides the opportunity for individuals

to access devices or data and to remove systems or

hardcopies, and should be appropriately restricted.”

Network Readiness Checklist



Create a device list✓

Determine segmentation

requirements✓

Create network diagrams for

each site configuration✓

Collecting network information ahead of time will help ensure that

upgraded MNSP routers are configured properly for your site to handle

current and future network requirements.

• Device lists for each site are accessible via your

current router or network service provider.

• Make sure each device is identifiable and that the

function is known. Consider devices to be added in

the future.

• Which devices should NOT be in the card data

environment? What additional segments will you need to

have defined?

• Network diagrams help technicians logically map

the network.

• Best practices: label segments, make sure

connections are easily identifiable, include a legend,

show current and planned devices.

Network Readiness Checklist



Collecting network information ahead of time will help ensure that

upgraded MNSP routers are configured properly for your site to

handle current and future network requirements.

Identify special firewall rules and

communication requirements✓

Determine managed/dumb

switch needs ✓

• Identify special firewall rules and communication

requirements (e.g. DVR, car wash systems)

• Firewall rules can typically be found through your

current provider or the device manufacturer.

• Make note of all VPN connections

• Make note of additional switches that may need to

be added.

• Keep Outdoor EMV network requirements in mind.

Installation Readiness Checklist



Coordination and alignment between relevant onsite personnel and IT

vendors is critical to facilitating a smooth installation process.

Collect Site Information✓

Communicate with Site Managers✓

Keep your IT partners informed✓

• Consolidated site information (e.g. site names,

addresses, key contacts, hours of operation) helps to

fast track deployment.

• Make sure store managers are kept fully apprised of

installation plans and are prepared for any disruptions

to regular business.

• During MNSP and outdoor EMV installations, make

sure key IT partners (POS, AHD, MNSP, ASC, etc.) are

aligned before, during, and after implementation.

MNSP Preparedness: Expedite Your Transition to

Outdoor EMV



Physical Prep Network Prep Installation Prep

Physical site surveys can

help identify security gaps,

obstacles to smooth

implementation, and

opportunities for improved

network resilience.

Collecting network

information ahead of time will

help ensure that upgraded

MNSP routers are configured

properly for your site to

handle current and future

network requirements.

Coordination and alignment

between relevant onsite

personnel and IT vendors is

critical to facilitating a

smooth installation process.

CDE = Cardholder Data Environment

1. Tim Tang, Hughes Network

2. Dean Marier, Cybera

3. Simon Gamble, Mako Networks

4. Brian DuCharme, TNS

5. Brett Stewart, Acumera

6. Matt Nelson, AvaLAN

7. Alex Barclay, SageNet

8. Mark Carl, ControlScan

9. Ashwin Swamy, Omega

65 Conexxus: Managed Network Service Providers: What You Need To Know

Speakers

66

MNSP ResourcesVerifone MNSP website: Gilbarco MNSP website:

https://www.vfne.co/MNSP https://www.gilbarco.com/us/emv-migration-guide



MNSP Provider Website

Acumera https://info.acumera.net/acumera-mnsp-services

AvaLAN https://www.avalannetworks.com/managednetworkservices

ControlScan www.controlscan.com

Cybera www.cybera.com

Hughes https://Business.hughes.com/industries/retail-petroleum

Mako Networks www.makonetworks.com

Omega ATC http://www.omegaatc.com/MNSP

SageNet www.sagenet.com/industry/c-store/

TNS https://tnsi.com/emv-upgrade/

https://www.vfne.co/MNSP

https://www.gilbarco.com/us/emv-migration-guide

https://info.acumera.net/acumera-mnsp-services

https://www.avalannetworks.com/managednetworkservices

http://www.controlscan.com/

http://www.cybera.com/

https://business.hughes.com/industries/retail-petroleum

http://www.makonetworks.com/

http://www.omegaatc.com/MNSP

http://www.sagenet.com/industry/c-store/

https://tnsi.com/emv-upgrade/

67

Other Resources



Conexxus Webinars – can you afford not to upgrade?:https://www.conexxus.org/webinars/emv-can-you-afford-not-upgrade-nacs-2019-show

Payment Card Industry Data Security Standards (PCI DSS):www.pcisecuritystandards.org

CIS Controls: https://www.cisecurity.org/controls/

NIST: www.nist.gov

ISO 27001: https://www.iso.org/isoiec-27001-information-security.html

https://www.conexxus.org/webinars/emv-can-you-afford-not-upgrade-nacs-2019-show

http://www.pcisecuritystandards.org/

https://www.cisecurity.org/controls/

http://www.nist.gov/

https://www.iso.org/isoiec-27001-information-security.html

• Website: www.conexxus.org

• Email: [email protected]

• LinkedIn Profile: Conexxus.org

• Follow us on Twitter: @Conexxusonline



Conexxus Resources

69

DISCLAIMER: Conexxus does not endorse any products or services that may be described or mentioned in this presentation. The views and opinions expressed in this presentation are solely those of the speakers and not of Conexxus. By hosting this webinar, Conexxus is not providing any legal advice; if you have any questions about legal issues raised or discussed, you should seek the assistance of attorneys who are competent in that area.



managed network service provider...• pos vendor secure, remote access - for pos fixes &...

Documents