1
© 2008 Cisco Systems, Inc. All rights reserved. 1
Marco Misitano, CISSP, CISA, CISM
Business Development Manager – SecurityCisco Italy
EnforcingPCI Data SecurityStandard Compliance
2
© 2008 Cisco Systems, Inc. All rights reserved. 2
The PCI Data Security Standard
Published January 2005, ver 1.1released Sept 7, 2006
Impacts ALL whoProcess
Transmit
Store: cardholder data
VISA Europe AccountInformation Security Programme(http://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp )
Payment Card Industry DataSecurity Standard
January 2005
3
© 2008 Cisco Systems, Inc. All rights reserved. 3
-Quarterly network scanrecommended
- Annual self-assessment
< 20,000 VISA e-commercetransactions per year
Level 4Merchants
- Quarterly network scan- Annual self-assessment
20,000 –1 million e-commercetransactions per year
Level 3Merchants
-Quarterly networks scan- Annual self-assessment
1 million – 6 million transactionsper year.
Level 2Merchants
- Annual onsite PCI DataSecurity Assessment- Quarterly network scan
Processed > 6,000,000 Visatransactions per year,compromised in the last year,identified as Level 1 by anothercard brand.
Level 1Merchants
RequirementCriteriaCategory
VISA PCI Categories of European Merchants
Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
4
© 2008 Cisco Systems, Inc. All rights reserved. 4
- Quarterly network scan- Annual self-assessment
Any SP that is not in Level 1and stores, processes ortransmits <1 millionaccounts/transactions annually
Level 3ServiceProvider
-Annual Onsite SecurityAudit
- Quarterly networksscan
Any SP that is not in Level 1and stores, process or transmits>1 million VISAaccounts/transactions annually
Level 2ServiceProvider
- Annual onsite SecurityAudit
- Quarterly network scan
All VisaNet processors,payment gateways, and InternetPayment Service Providersregardless of transactionvolumes
Level 1ServiceProvider
RequirementCriteriaCategory
VISA PCI Categories of European ServiceProviders
Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
5
© 2008 Cisco Systems, Inc. All rights reserved. 5
PCI Industry Updates
US Level 1 Merchants Deadline is 30 Sept 2007;65% are compliant (source: VISA US October 2007)
European Merchant Deadline – 2008 (source: VISA &American Express, October-November 2007)
Impact of non-compliance = US Level 1 merchantsUS$25,000 per month fine or increase in credit cardtransaction fees
6
© 2008 Cisco Systems, Inc. All rights reserved. 6
12. Maintain a policy that addresses informationsecurity
Maintain an InformationSecurity Policy
10. Track and monitor all access to networkresources and cardholder data11. Regularly test security systems and processes
Regularly Monitor andTest Networks
7. Restrict access to data by business need-to-know8. Assign a unique ID to each person withcomputer access9. Restrict physical access to cardholder data
Implement Strong AccessControl Measures
5. Use and regularly update anti-virus software6. Develop and maintain secure systems andapplications
Maintain a VulnerabilityManagement Program
3. Protect stored data4. Encrypt transmission of cardholder data andsensitive information across public networks
Protect Cardholder Data
1. Install and maintain a firewall configuration toprotect data2. Do not use vendor-supplied defaults for systempasswords and other security parameters
Build and Maintain aSecure Network
The PCI Data Security Standard
7
© 2008 Cisco Systems, Inc. All rights reserved. 7
ApplyingSelf-DefendingNetwork to PCI
8
© 2008 Cisco Systems, Inc. All rights reserved. 8
Cisco PCI Validated ArchitecturesCisco Validated Design includes:
Recommended architectures for networks, payment data at rest anddata in-transit.
Testing in a simulated retail enterprise which include POS terminals,application servers, wireless devices, Internet connection and securitysystems.
Configuration, monitoring, and authentication management systems.
Architectural design guidance and audit review provided by PCI auditand remediation partners.
PCI Audit Partner:
Retail Solution Partners:
Validated DesignSmall Retail Store
9
© 2008 Cisco Systems, Inc. All rights reserved. 9
WAN
Credit cardstorage
Network Environment Blue Print
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
ISRCatalystswitch
ASA
FWSMIDSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
CSA CSA
ASA
IronPort
AXG AXG
10
© 2008 Cisco Systems, Inc. All rights reserved. 10
PCI Requirement 1
Install and maintain a firewall configuration to protectdata
–Configuration standards, documentation
–Segment card holder data from all other data
–FW to public connections (Inbound & Outbound)
–Wireless
–Personal Firewall
11
© 2008 Cisco Systems, Inc. All rights reserved. 11
WAN
Credit cardstorage
Requirement 1: Install and maintain afirewall configuration to protect data
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
POS VLAN
Data VLAN
ASA
CardVLAN
CSA CSA
ISR
ASA
IronPort
AXG
AXG
12
© 2008 Cisco Systems, Inc. All rights reserved. 12
PCI Requirement 2
Do not use vendor-supplied defaults for systempasswords and other security parameters
–Change vendor supplied defaults
–Wireless – change wireless vendor defaults, disable SSIDbroadcasts, use WPA/WPA2
–Configuration standards for all system components
–Implement one primary function per server
–Disable all unnecessary and insecure services andprotocols
13
© 2008 Cisco Systems, Inc. All rights reserved. 13
WAN
Credit cardstorage
Requirement 2: Do not use vendor-supplied defaults for system settings
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA CSA
ISR
ASA
IronPort
AXGAXG
14
© 2008 Cisco Systems, Inc. All rights reserved. 14
PCI Requirement 2.1 for Wireless
Verify that the Cisco Controller is, by default, configuredfor administrative restriction and AAA authentication foradministrative users
Verify that no default SSID is enabled on the WLC
Disable/remove default SNMP strings of “public/private”
Create new community strings
Verify that default community strings are no longeraccessible
Configure administrative user either via initial controllersetup script or via CLI
Configure wireless system for WPA authentication
Disable SSID Broadcast
15
© 2008 Cisco Systems, Inc. All rights reserved. 15
PCI Requirement 2.3 for Wireless Verify that the controller is enabled only for secure
management protocolsHTTPS (SSL) only
Telnet disabled
SNMPv1 disabled
SSH permitted
Verify that administrative access is denied to usersaccessing over unpermitted interfaces/addresses andverify that only encrypted protocols are permitted
16
© 2008 Cisco Systems, Inc. All rights reserved. 16
PCI Requirement 3
Protect Stored Data–Keep cardholder data storage to a minimum
–Do not store the full contents of any track from themagnetic stripe (also called full track, track, track1, track 2and magnetic stripe data), card-validation code or value, PIN
–Mask PAN when displayed, and render it unreadable whenstored (hashed indexes, truncation, index tokens and pads,strong cryptography), disk encryption
–Document and implement key management processes
17
© 2008 Cisco Systems, Inc. All rights reserved. 17
WAN
Credit cardstorage
Requirement 3: Protect Stored Data
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
CSA
CSA
ASA
CSA CSA
ISR
IronPort
AXG AXG
18
© 2008 Cisco Systems, Inc. All rights reserved. 18
Protect Stored Data – From What?
Cisco Security Agent (CSA) protects from– copying cardholder information to removable media (USBsticks, CD ROMs, etc)
–Copying cardholder information to different file formats
–Printing cardholder information
–Saving information to a local machine
Plus typical worm/virus protection (think e-commerce)
19
© 2008 Cisco Systems, Inc. All rights reserved. 19
PCI Requirement 4
Encrypt transmission of cardholder data across open, publicnetworks
–Use SSL/TLS or IPSec, WPA for wireless
–If using WEP;
• Use with a minimum 104-bit encryption key and 24 bit-initialization value
•Use ONLY in conjunction with WPA/WPA2, VPN or SSL/TLS
•Rotate shared WEP keys quarterly (or automatically)
•Restrict access based on MAC address
–Never send unencrypted PANs by e-mail
20
© 2008 Cisco Systems, Inc. All rights reserved. 20
WAN
Credit cardstorage
Requirement 4: Encrypt transmission ofcardholder data across public networks
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA CSA
ISR
IronPort
AXG AXG
21
© 2008 Cisco Systems, Inc. All rights reserved. 21
PCI Requirement 5
Use and regularly update anti-virus software orprograms
–Deploy anti-virus software on all systems commonlyaffected by viruses
–AV programs capable of detecting, removing, andprotecting against all forms of malicious software, includingspyware and adware
–Ensure that all AV mechanisms are current, activelyrunning, and capable of generating audit logs
22
© 2008 Cisco Systems, Inc. All rights reserved. 22
WAN
Credit cardstorage
Requirement 5: Use and Regularly updateanti-virus software
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA
CSA
ISR
IronPort
AXG AXG
23
© 2008 Cisco Systems, Inc. All rights reserved. 23
PCI Requirement 6
Develop and maintain secure systems and applications–Systems and software have latest vendor-supplied securitypatches installed. Install relevant security patches withinone month of release
–Establish process to identify new security vulnerabilities(subscribe to alert services, etc)
–Develop SW applications based on industry best practicesand incorporate security throughout SW developmentlifecycle
–Develop web application based on secure codingguidelines such as the Open Web Application SecurityProject
–Web-facing applications are protected against knownattacks by installing an application layer firewall in front ofweb-facing applications, or review application code by aspecialized application security organizations
24
© 2008 Cisco Systems, Inc. All rights reserved. 24
WAN
Credit cardstorage
Requirement 6: Develop and maintainsecure systems and applications
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA CSA
ISR
IronPort
AXG AXG
CSA
25
© 2008 Cisco Systems, Inc. All rights reserved. 25
PCI Requirement 7
Restrict access to cardholder data by business need-to-know
–Limit access to computing resources and cardholderinformation only to those individuals whose job requiressuch access
–Establish a mechanism for systems with multiple usersthat restricts access based on a user’s need to know and isset to “deny all” unless specifically allowed.
26
© 2008 Cisco Systems, Inc. All rights reserved. 26
WAN
Credit cardstorage
Requirement 7: Restrict access to databy business need-to-know
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA
CSA CSA
ISR
IronPort
AXG AXG
27
© 2008 Cisco Systems, Inc. All rights reserved. 27
PCI Requirement 8
Assign a unique ID to each person with computeraccess
–Identify all users with a unique user name before allowingaccess to system components or cardholder data
–In addition, employ one method of authentication(password, token devices [SecureID, certificates or publickey], biometrics)
–Implement 2-factor authentication
–Encrypt all passwords during transmission and storage
28
© 2008 Cisco Systems, Inc. All rights reserved. 28
WAN
Credit cardstorage
Requirement 8: Assign a unique ID toeach person with computer access
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA CSA
ISR
IronPort
AXG AXG
29
© 2008 Cisco Systems, Inc. All rights reserved. 29
PCI Requirement 9
Restrict physical access to cardholder data–Facility entry controls and monitor physical access tosystems that store, process or transmit cardholer data
•Cameras to monitor sensitive areas
•Restrict physical access to network jacks, wirelessaccess points, gateways, and handheld devices
–Distinguish between employees and visitors
–Visitor log in, physical token, authorization before enteringarea
–Physically secure card holder data media
–Destroy media when it is no longer needed
30
© 2008 Cisco Systems, Inc. All rights reserved. 30
PCI Requirement 10
Track and monitor all access to networkresources and cardholder data
–Implement automated audit trails
–Record audit trail entries
–Secure audit trails so they cannot be altered
–Review logs for all system components atleast daily
–Destroy media when it is no longer needed
–Retain audit trail history for at least one year,with a minimum of three months onlineavailability
31
© 2008 Cisco Systems, Inc. All rights reserved. 31
WAN
Credit cardstorage
Requirement 10: Track and Monitor allaccess to network and cardholder data
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA CSA
ISR
IronPort
AXG AXG
32
© 2008 Cisco Systems, Inc. All rights reserved. 32
Event is also logged in CS-MARSFor yourreference
33
© 2008 Cisco Systems, Inc. All rights reserved. 33
CS-MARS Events for PCI/CobiTCompliance Tracking
Network Usage - Top Destination Ports
Network Usage Inbound - Top Ports
Network Usage Inbound - Top Destinations
Network Usage Outbound - Top Ports
Network Usage Outbound - Top Destinations
Denies Inbound - Top Destination Ports
Denies Inbound - Top Destinations
Denies Inbound - Top Sources
Denies Outbound - Top Destination Ports
Denies Outbound - Top Destinations
Denies Outbound - Top Sources
Attacks Prevented - Top Reporting Devices
Concurrent Connections - Top Devices
MARS ReportsDS 5.20 FWArchitectures
1. FirewallCobiTPCI
For yourreference
34
© 2008 Cisco Systems, Inc. All rights reserved. 34
PCI Requirement 11
Regularly test security systems and processes–Use a wireless analyzer at least quarterly to identify allwireless devices in use
–Run internal and external network vulnerability scans atleast quarterly and after any significant change in thenetwork
–Perform penetration testing at least once a year and afterany significant upgrade or modification
–Use NIDS/IPS, HIDS/HIPS
–Deploy file integrity monitoring software to perform criticalfile comparisons at least weekly
35
© 2008 Cisco Systems, Inc. All rights reserved. 35
WAN
Credit cardstorage
Requirement 11: Regularly test securitysystems and processes
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA CSA
ISR
IronPort
AXG AXG
36
© 2008 Cisco Systems, Inc. All rights reserved. 36
PCI Requirement 12
Maintain a policy that addresses information security foremployees and contractors
–Establish, publish, maintain, and disseminate a securitypolicy
–Develop usage policies for critical employee-facingtechnologies
–Implement a security awareness program
–Implement an incident response plan
–If cardholder data is shared with service providers, the SPmust adhere to the PCI DSS requirements
37
© 2008 Cisco Systems, Inc. All rights reserved. 37
WAN
Credit cardstorage
Requirement 12: Maintain a policy thataddresses information security
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSACSA
WAP
E-commerce
ASA
7200/7300
WAP
POSCashRegister
MobilePOS
POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSANCM/CAS
CSA CSA
ISR
IronPort
AXG AXG
38
© 2008 Cisco Systems, Inc. All rights reserved. 38
WAN
Credit cardstorage
Cisco Solution for PCI
Wirelessdevice
REMOTE LOCATION INTERNETEDGE
ISR
switch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500switch
CSA
E-commerce
ASA
7300 router
WAP
POSTerminal POS Server
StoreWorker PC
NETWORK MGMT CENTER
DATA CENTER
CiscoSecurityManagement
ACS
WAP1200
ASA 5500
CiscoSecurityAgent (CSA)
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7Requirement 8Requirement 9
Requirement 10Requirement 11Requirement 12Requirement 12
CSA
CSA
IronPort
AXGAXG
NCM/CAS
39
© 2008 Cisco Systems, Inc. All rights reserved. 39
NCM PCI Requirement 2 status
40
© 2008 Cisco Systems, Inc. All rights reserved. 40
NCM Requirement 4 statusFor yourreference
41
© 2008 Cisco Systems, Inc. All rights reserved. 41
NCM Requirement 6 statusFor yourreference
42
© 2008 Cisco Systems, Inc. All rights reserved. 42
NCM Requirement 7, 8 statusFor yourreference
43
© 2008 Cisco Systems, Inc. All rights reserved. 43
NCM Requirement10 statusFor yourreference
44
© 2008 Cisco Systems, Inc. All rights reserved. 44
NCM Requirement 11 status
45
© 2008 Cisco Systems, Inc. All rights reserved. 45
NCM Requirement 12 statusFor yourreference
46
© 2008 Cisco Systems, Inc. All rights reserved. 46
Summary - Key Take Aways
PCI is moving rapidly to global importance
PCI Compliance encompasses Security Best Practices
Work closely with Approved Scan Vendor and QualifiedSecurity Assessor to understand expectations
Use Cisco’s PCI Validated Architectures as a guide toease design and implementation
47
© 2008 Cisco Systems, Inc. All rights reserved. 47
More Information
Cisco Compliance informationhttp://www.cisco.com/go/compliancehttp://www.cisco.com/go/retail
VISA Cardholder Information Security Programhttp://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp
MasterCard PCI Merchant Educationhttp://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html
PCI Security Standards Councilhttps://www.pcisecuritystandards.org/
48
© 2008 Cisco Systems, Inc. All rights reserved. 48