Enforcing PCI Data Security Standard Compliance...2 © 2008 Cisco Systems, Inc. All rights reserved....

1

© 2008 Cisco Systems, Inc. All rights reserved. 1

Marco Misitano, CISSP, CISA, CISM

Business Development Manager – SecurityCisco Italy

EnforcingPCI Data SecurityStandard Compliance

2


The PCI Data Security Standard

Published January 2005, ver 1.1released Sept 7, 2006

Impacts ALL whoProcess

Transmit

Store: cardholder data

VISA Europe AccountInformation Security Programme(http://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp )

Payment Card Industry DataSecurity Standard

January 2005

3


-Quarterly network scanrecommended

- Annual self-assessment

< 20,000 VISA e-commercetransactions per year

Level 4Merchants

- Quarterly network scan- Annual self-assessment

20,000 –1 million e-commercetransactions per year

Level 3Merchants

-Quarterly networks scan- Annual self-assessment

1 million – 6 million transactionsper year.

Level 2Merchants

- Annual onsite PCI DataSecurity Assessment- Quarterly network scan

Processed > 6,000,000 Visatransactions per year,compromised in the last year,identified as Level 1 by anothercard brand.

Level 1Merchants

RequirementCriteriaCategory

VISA PCI Categories of European Merchants

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp

4


- Quarterly network scan- Annual self-assessment

Any SP that is not in Level 1and stores, processes ortransmits <1 millionaccounts/transactions annually

Level 3ServiceProvider

-Annual Onsite SecurityAudit

- Quarterly networksscan

Any SP that is not in Level 1and stores, process or transmits>1 million VISAaccounts/transactions annually


- Annual onsite SecurityAudit

- Quarterly network scan

All VisaNet processors,payment gateways, and InternetPayment Service Providersregardless of transactionvolumes


RequirementCriteriaCategory

VISA PCI Categories of European ServiceProviders

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp

5


PCI Industry Updates

US Level 1 Merchants Deadline is 30 Sept 2007;65% are compliant (source: VISA US October 2007)

European Merchant Deadline – 2008 (source: VISA &American Express, October-November 2007)

Impact of non-compliance = US Level 1 merchantsUS$25,000 per month fine or increase in credit cardtransaction fees

6


12. Maintain a policy that addresses informationsecurity

Maintain an InformationSecurity Policy

10. Track and monitor all access to networkresources and cardholder data11. Regularly test security systems and processes

Regularly Monitor andTest Networks

7. Restrict access to data by business need-to-know8. Assign a unique ID to each person withcomputer access9. Restrict physical access to cardholder data

Implement Strong AccessControl Measures

5. Use and regularly update anti-virus software6. Develop and maintain secure systems andapplications

Maintain a VulnerabilityManagement Program

3. Protect stored data4. Encrypt transmission of cardholder data andsensitive information across public networks

Protect Cardholder Data

1. Install and maintain a firewall configuration toprotect data2. Do not use vendor-supplied defaults for systempasswords and other security parameters

Build and Maintain aSecure Network

The PCI Data Security Standard

7


ApplyingSelf-DefendingNetwork to PCI

8


Cisco PCI Validated ArchitecturesCisco Validated Design includes:

Recommended architectures for networks, payment data at rest anddata in-transit.

Testing in a simulated retail enterprise which include POS terminals,application servers, wireless devices, Internet connection and securitysystems.

Configuration, monitoring, and authentication management systems.

Architectural design guidance and audit review provided by PCI auditand remediation partners.

PCI Audit Partner:

Retail Solution Partners:

Validated DesignSmall Retail Store

9


WAN

Credit cardstorage

Network Environment Blue Print

Wirelessdevice

REMOTE LOCATION INTERNETEDGE

ISRCatalystswitch

ASA

FWSMIDSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

CSA CSA

ASA

IronPort

AXG AXG

10


PCI Requirement 1

Install and maintain a firewall configuration to protectdata

–Configuration standards, documentation

–Segment card holder data from all other data

–FW to public connections (Inbound & Outbound)

–Wireless

–Personal Firewall

11


WAN

Credit cardstorage

Requirement 1: Install and maintain afirewall configuration to protect data

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

POS VLAN

Data VLAN

ASA

CardVLAN

CSA CSA

ISR

ASA

IronPort

AXG

AXG

12


PCI Requirement 2

Do not use vendor-supplied defaults for systempasswords and other security parameters

–Change vendor supplied defaults

–Wireless – change wireless vendor defaults, disable SSIDbroadcasts, use WPA/WPA2

–Configuration standards for all system components

–Implement one primary function per server

–Disable all unnecessary and insecure services andprotocols

13


WAN

Credit cardstorage

Requirement 2: Do not use vendor-supplied defaults for system settings

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA CSA

ISR

ASA

IronPort

AXGAXG

14


PCI Requirement 2.1 for Wireless

Verify that the Cisco Controller is, by default, configuredfor administrative restriction and AAA authentication foradministrative users

Verify that no default SSID is enabled on the WLC

Disable/remove default SNMP strings of “public/private”

Create new community strings

Verify that default community strings are no longeraccessible

Configure administrative user either via initial controllersetup script or via CLI

Configure wireless system for WPA authentication

Disable SSID Broadcast

15


PCI Requirement 2.3 for Wireless Verify that the controller is enabled only for secure

management protocolsHTTPS (SSL) only

Telnet disabled

SNMPv1 disabled

SSH permitted

Verify that administrative access is denied to usersaccessing over unpermitted interfaces/addresses andverify that only encrypted protocols are permitted

16


PCI Requirement 3

Protect Stored Data–Keep cardholder data storage to a minimum

–Do not store the full contents of any track from themagnetic stripe (also called full track, track, track1, track 2and magnetic stripe data), card-validation code or value, PIN

–Mask PAN when displayed, and render it unreadable whenstored (hashed indexes, truncation, index tokens and pads,strong cryptography), disk encryption

–Document and implement key management processes

17


WAN

Credit cardstorage

Requirement 3: Protect Stored Data

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAP

CSA

CSA

ASA

CSA CSA

ISR

IronPort

AXG AXG

18


Protect Stored Data – From What?

Cisco Security Agent (CSA) protects from– copying cardholder information to removable media (USBsticks, CD ROMs, etc)

–Copying cardholder information to different file formats

–Printing cardholder information

–Saving information to a local machine

Plus typical worm/virus protection (think e-commerce)

19


PCI Requirement 4

Encrypt transmission of cardholder data across open, publicnetworks

–Use SSL/TLS or IPSec, WPA for wireless

–If using WEP;

• Use with a minimum 104-bit encryption key and 24 bit-initialization value

•Use ONLY in conjunction with WPA/WPA2, VPN or SSL/TLS

•Rotate shared WEP keys quarterly (or automatically)

•Restrict access based on MAC address

–Never send unencrypted PANs by e-mail

20


WAN

Credit cardstorage

Requirement 4: Encrypt transmission ofcardholder data across public networks

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA CSA

ISR

IronPort

AXG AXG

21


PCI Requirement 5

Use and regularly update anti-virus software orprograms

–Deploy anti-virus software on all systems commonlyaffected by viruses

–AV programs capable of detecting, removing, andprotecting against all forms of malicious software, includingspyware and adware

–Ensure that all AV mechanisms are current, activelyrunning, and capable of generating audit logs

22


WAN

Credit cardstorage

Requirement 5: Use and Regularly updateanti-virus software

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA

CSA

ISR

IronPort

AXG AXG

23


PCI Requirement 6

Develop and maintain secure systems and applications–Systems and software have latest vendor-supplied securitypatches installed. Install relevant security patches withinone month of release

–Establish process to identify new security vulnerabilities(subscribe to alert services, etc)

–Develop SW applications based on industry best practicesand incorporate security throughout SW developmentlifecycle

–Develop web application based on secure codingguidelines such as the Open Web Application SecurityProject

–Web-facing applications are protected against knownattacks by installing an application layer firewall in front ofweb-facing applications, or review application code by aspecialized application security organizations

24


WAN

Credit cardstorage

Requirement 6: Develop and maintainsecure systems and applications

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA CSA

ISR

IronPort

AXG AXG

CSA

25


PCI Requirement 7

Restrict access to cardholder data by business need-to-know

–Limit access to computing resources and cardholderinformation only to those individuals whose job requiressuch access

–Establish a mechanism for systems with multiple usersthat restricts access based on a user’s need to know and isset to “deny all” unless specifically allowed.

26


WAN

Credit cardstorage

Requirement 7: Restrict access to databy business need-to-know

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA

CSA CSA

ISR

IronPort

AXG AXG

27


PCI Requirement 8

Assign a unique ID to each person with computeraccess

–Identify all users with a unique user name before allowingaccess to system components or cardholder data

–In addition, employ one method of authentication(password, token devices [SecureID, certificates or publickey], biometrics)

–Implement 2-factor authentication

–Encrypt all passwords during transmission and storage

28


WAN

Credit cardstorage

Requirement 8: Assign a unique ID toeach person with computer access

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA CSA

ISR

IronPort

AXG AXG

29


PCI Requirement 9

Restrict physical access to cardholder data–Facility entry controls and monitor physical access tosystems that store, process or transmit cardholer data

•Cameras to monitor sensitive areas

•Restrict physical access to network jacks, wirelessaccess points, gateways, and handheld devices

–Distinguish between employees and visitors

–Visitor log in, physical token, authorization before enteringarea

–Physically secure card holder data media

–Destroy media when it is no longer needed

30


PCI Requirement 10

Track and monitor all access to networkresources and cardholder data

–Implement automated audit trails

–Record audit trail entries

–Secure audit trails so they cannot be altered

–Review logs for all system components atleast daily

–Destroy media when it is no longer needed

–Retain audit trail history for at least one year,with a minimum of three months onlineavailability

31


WAN

Credit cardstorage

Requirement 10: Track and Monitor allaccess to network and cardholder data

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA CSA

ISR

IronPort

AXG AXG

32


Event is also logged in CS-MARSFor yourreference

33


CS-MARS Events for PCI/CobiTCompliance Tracking

Network Usage - Top Destination Ports

Network Usage Inbound - Top Ports

Network Usage Inbound - Top Destinations

Network Usage Outbound - Top Ports

Network Usage Outbound - Top Destinations

Denies Inbound - Top Destination Ports

Denies Inbound - Top Destinations

Denies Inbound - Top Sources

Denies Outbound - Top Destination Ports

Denies Outbound - Top Destinations

Denies Outbound - Top Sources

Attacks Prevented - Top Reporting Devices

Concurrent Connections - Top Devices

MARS ReportsDS 5.20 FWArchitectures

1. FirewallCobiTPCI

For yourreference

34


PCI Requirement 11

Regularly test security systems and processes–Use a wireless analyzer at least quarterly to identify allwireless devices in use

–Run internal and external network vulnerability scans atleast quarterly and after any significant change in thenetwork

–Perform penetration testing at least once a year and afterany significant upgrade or modification

–Use NIDS/IPS, HIDS/HIPS

–Deploy file integrity monitoring software to perform criticalfile comparisons at least weekly

35


WAN

Credit cardstorage

Requirement 11: Regularly test securitysystems and processes

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

NCM/CAS

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSA

CSA CSA

ISR

IronPort

AXG AXG

36


PCI Requirement 12

Maintain a policy that addresses information security foremployees and contractors

–Establish, publish, maintain, and disseminate a securitypolicy

–Develop usage policies for critical employee-facingtechnologies

–Implement a security awareness program

–Implement an incident response plan

–If cardholder data is shared with service providers, the SPmust adhere to the PCI DSS requirements

37


WAN

Credit cardstorage

Requirement 12: Maintain a policy thataddresses information security

Wirelessdevice


Catalystswitch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSACSA

WAP

E-commerce

ASA

7200/7300

WAP

POSCashRegister

MobilePOS

POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CSMACS

WAPASA

CSANCM/CAS

CSA CSA

ISR

IronPort

AXG AXG

38


WAN

Credit cardstorage

Cisco Solution for PCI

Wirelessdevice


ISR

switch

ASA

6500/7600FWSM

CS-MARS

NAC

CSA

MAIN OFFICE

6500switch

CSA

E-commerce

ASA

7300 router

WAP

POSTerminal POS Server

StoreWorker PC

NETWORK MGMT CENTER

DATA CENTER

CiscoSecurityManagement

ACS

WAP1200

ASA 5500

CiscoSecurityAgent (CSA)

Requirement 1Requirement 2Requirement 3



Requirement 10Requirement 11Requirement 12Requirement 12

CSA

CSA

IronPort

AXGAXG

NCM/CAS

39


NCM PCI Requirement 2 status

40


NCM Requirement 4 statusFor yourreference

41



42


NCM Requirement 7, 8 statusFor yourreference

43


NCM Requirement10 statusFor yourreference

44


NCM Requirement 11 status

45



46


Summary - Key Take Aways

PCI is moving rapidly to global importance

PCI Compliance encompasses Security Best Practices

Work closely with Approved Scan Vendor and QualifiedSecurity Assessor to understand expectations

Use Cisco’s PCI Validated Architectures as a guide toease design and implementation

47


More Information

Cisco Compliance informationhttp://www.cisco.com/go/compliancehttp://www.cisco.com/go/retail

VISA Cardholder Information Security Programhttp://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp

MasterCard PCI Merchant Educationhttp://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html

PCI Security Standards Councilhttps://www.pcisecuritystandards.org/

48


Date post:	19-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Enforcing PCI Data Security Standard Compliance...2 © 2008 Cisco Systems, Inc. All rights reserved....

Documents