enforcing pci data security standard compliance...ncm/cas wap pos cash register mobile pos pos...
TRANSCRIPT
© 2008 Cisco Systems, Inc. All rights reserved. 1
Marco Misitano, CISSP, CISA, CISM
Business Development Manager – Security & VideoSurve illanceCisco Italy
Enforcing PCI Data Security Standard Compliance
© 2008 Cisco Systems, Inc. All rights reserved. 2
The PCI Data Security Standard
� Published January 2005, ver 1.1 released Sept 7, 2006
� Impacts ALL whoProcess
Transmit
Store: cardholder data
� VISA Europe Account Information Security Programme(http://www.visaeurope.com/aboutvisa/security/ais/ai sprogramme.jsp )
Payment Card Industry Data Security Standard
January 2005
© 2008 Cisco Systems, Inc. All rights reserved. 3
-Quarterly network scan recommended
- Annual self-assessment
< 20,000 VISA e-commerce transactions per year
Level 4 Merchants
- Quarterly network scan - Annual self-assessment
20,000 –1 million e-commercetransactions per year
Level 3 Merchants
-Quarterly networks scan - Annual self-assessment
1 million – 6 million transactions per year.
Level 2 Merchants
- Annual onsite PCI Data Security Assessment- Quarterly network scan
Processed > 6,000,000 Visa transactions per year, compromised in the last year, identified as Level 1 by another card brand.
Level 1 Merchants
RequirementCriteriaCategory
VISA PCI Categories of European Merchants
Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
© 2008 Cisco Systems, Inc. All rights reserved. 4
- Quarterly network scan - Annual self-assessment
Any SP that is not in Level 1 and stores, processes or transmits <1 million accounts/transactions annually
Level 3 Service Provider
-Annual Onsite Security Audit
- Quarterly networks scan
Any SP that is not in Level 1 and stores, process or transmits >1 million VISA accounts/transactions annually
Level 2 Service Provider
- Annual onsite Security Audit
- Quarterly network scan
All VisaNet processors, payment gateways, and Internet Payment Service Providers regardless of transaction volumes
Level 1 Service Provider
RequirementCriteriaCategory
VISA PCI Categories of European Service Providers
Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
© 2008 Cisco Systems, Inc. All rights reserved. 5
PCI Industry Updates
� US Level 1 Merchants Deadline is 30 Sept 2007; 65% are compliant (source: VISA US October 2007)
� European Merchant Deadline – 2008 ( source: VISA & American Express, October-November 2007)
� Impact of non-compliance = US Level 1 merchants US$25,000 per month fine or increase in credit card transaction fees
© 2008 Cisco Systems, Inc. All rights reserved. 6
12. Maintain a policy that addresses information security
Maintain an Information Security Policy
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Regularly Monitor and Test Networks
7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Implement Strong Access Control Measures
5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
Maintain a Vulnerability Management Program
3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks
Protect Cardholder Data
1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Build and Maintain a Secure Network
The PCI Data Security Standard
© 2008 Cisco Systems, Inc. All rights reserved. 7
Applying Self-Defending Network to PCI
© 2008 Cisco Systems, Inc. All rights reserved. 8
Cisco PCI Validated ArchitecturesCisco Validated Design includes:
� Recommended architectures for networks, payment data at rest anddata in-transit.
� Testing in a simulated retail enterprise which include POS terminals, application servers, wireless devices, Internet connection and security systems.
� Configuration, monitoring, and authentication management systems.
� Architectural design guidance and audit review provided by PCI audit and remediation partners.
PCI Audit Partner:
Retail Solution Partners:
Validated DesignSmall Retail Store
© 2008 Cisco Systems, Inc. All rights reserved. 9
WAN
Credit cardstorage
Network Environment Blue Print
Wireless device
REMOTE LOCATION INTERNETEDGE
ISRCatalystswitch
ASA
FWSMIDSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
CSA CSA
ASA
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 10
PCI Requirement 1
� Install and maintain a firewall configuration to protect data
–Configuration standards, documentation
–Segment card holder data from all other data
–FW to public connections (Inbound & Outbound)
–Wireless
–Personal Firewall
© 2008 Cisco Systems, Inc. All rights reserved. 11
WAN
Credit cardstorage
Requirement 1: Install and maintain a firewall configuration to protect data
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
POS VLAN
Data VLAN
ASA
Card VLAN
CSA CSA
ISR
ASA
IronPort
AXG
AXG
© 2008 Cisco Systems, Inc. All rights reserved. 12
PCI Requirement 2
� Do not use vendor-supplied defaults for system passwords and other security parameters
–Change vendor supplied defaults
–Wireless – change wireless vendor defaults, disable SS ID broadcasts, use WPA/WPA2
–Configuration standards for all system components
–Implement one primary function per server
–Disable all unnecessary and insecure services and protocols
© 2008 Cisco Systems, Inc. All rights reserved. 13
WAN
Credit cardstorage
Requirement 2: Do not use vendor-supplied defaults for system settings
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
ASA
CSA CSA
ISR
ASA
IronPort
AXGAXG
© 2008 Cisco Systems, Inc. All rights reserved. 14
PCI Requirement 2.1 for Wireless
� Verify that the Cisco Controller is, by default, configured for administrative restriction and AAA authentication for administrative users
� Verify that no default SSID is enabled on the WLC
� Disable/remove default SNMP strings of “public/private”
� Create new community strings
� Verify that default community strings are no longer accessible
� Configure administrative user either via initial controller setup script or via CLI
� Configure wireless system for WPA authentication
� Disable SSID Broadcast
© 2008 Cisco Systems, Inc. All rights reserved. 15
PCI Requirement 2.3 for Wireless� Verify that the controller is enabled only for secure
management protocols
HTTPS (SSL) only
Telnet disabled
SNMPv1 disabled
SSH permitted
� Verify that administrative access is denied to users accessing over unpermitted interfaces/addresses and verify that only encrypted protocols are permitted
© 2008 Cisco Systems, Inc. All rights reserved. 16
PCI Requirement 3
� Protect Stored Data
–Keep cardholder data storage to a minimum
–Do not store the full contents of any track from the magnetic stripe (also called full track, track, track 1, track 2 and magnetic stripe data), card-validation code or val ue, PIN
–Mask PAN when displayed, and render it unreadable when stored (hashed indexes, truncation, index tokens and pads, strong cryptography), disk encryption
–Document and implement key management processes
© 2008 Cisco Systems, Inc. All rights reserved. 17
WAN
Credit cardstorage
Requirement 3: Protect Stored Data
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
CSA
CSA
ASA
CSA CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 18
Protect Stored Data – From What?
� Cisco Security Agent (CSA) protects from
– copying cardholder information to removable media (USB sticks, CD ROMs, etc)
–Copying cardholder information to different file format s
–Printing cardholder information
–Saving information to a local machine
� Plus typical worm/virus protection (think e-commerc e)
© 2008 Cisco Systems, Inc. All rights reserved. 19
PCI Requirement 4
� Encrypt transmission of cardholder data across open, public networks
–Use SSL/TLS or IPSec, WPA for wireless
–If using WEP;
• Use with a minimum 104-bit encryption key and 24 bi t-initialization value
•Use ONLY in conjunction with WPA/WPA2, VPN or SSL/TLS
•Rotate shared WEP keys quarterly (or automatically)
•Restrict access based on MAC address
–Never send unencrypted PANs by e-mail
© 2008 Cisco Systems, Inc. All rights reserved. 20
WAN
Credit cardstorage
Requirement 4: Encrypt transmission of cardholder data across public networks
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAP
ASA
CSA CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 21
PCI Requirement 5
� Use and regularly update anti-virus software or programs
–Deploy anti-virus software on all systems commonly affected by viruses
–AV programs capable of detecting, removing, and protecting against all forms of malicious software, including spyware and adware
–Ensure that all AV mechanisms are current, actively running, and capable of generating audit logs
© 2008 Cisco Systems, Inc. All rights reserved. 22
WAN
Credit cardstorage
Requirement 5: Use and Regularly update anti-virus software
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA
CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 23
PCI Requirement 6
� Develop and maintain secure systems and applications–Systems and software have latest vendor-supplied se curity patches installed. Install relevant security patches within one month of release
–Establish process to identify new security vulnerabil ities (subscribe to alert services, etc)
–Develop SW applications based on industry best practi ces and incorporate security throughout SW development lifecycle
–Develop web application based on secure coding guidelines such as the Open Web Application Security Project
–Web-facing applications are protected against known attacks by installing an application layer firewall i n front of web-facing applications, or review application code b y a specialized application security organizations
© 2008 Cisco Systems, Inc. All rights reserved. 24
WAN
Credit cardstorage
Requirement 6: Develop and maintain secure systems and applications
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA CSA
ISR
IronPort
AXG AXG
CSA
© 2008 Cisco Systems, Inc. All rights reserved. 25
PCI Requirement 7
� Restrict access to cardholder data by business need-to-know
–Limit access to computing resources and cardholder information only to those individuals whose job requ ires such access
–Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.
© 2008 Cisco Systems, Inc. All rights reserved. 26
WAN
Credit cardstorage
Requirement 7: Restrict access to data by business need-to-know
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA
CSA CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 27
PCI Requirement 8
� Assign a unique ID to each person with computer access
–Identify all users with a unique user name before allo wing access to system components or cardholder data
–In addition, employ one method of authentication (password, token devices [SecureID, certificates or p ublic key], biometrics)
–Implement 2-factor authentication
–Encrypt all passwords during transmission and storage
© 2008 Cisco Systems, Inc. All rights reserved. 28
WAN
Credit cardstorage
Requirement 8: Assign a unique ID to each person with computer access
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 29
PCI Requirement 9
� Restrict physical access to cardholder data
–Facility entry controls and monitor physical access t o systems that store, process or transmit cardholer data
•Cameras to monitor sensitive areas
•Restrict physical access to network jacks, wireless access points, gateways, and handheld devices
–Distinguish between employees and visitors
–Visitor log in, physical token, authorization before entering area
–Physically secure card holder data media
–Destroy media when it is no longer needed
© 2008 Cisco Systems, Inc. All rights reserved. 30
PCI Requirement 10
� Track and monitor all access to network resources and cardholder data
–Implement automated audit trails
–Record audit trail entries
–Secure audit trails so they cannot be altered
–Review logs for all system components at least daily
–Destroy media when it is no longer needed
–Retain audit trail history for at least one year, with a minimum of three months online availability
© 2008 Cisco Systems, Inc. All rights reserved. 31
WAN
Credit cardstorage
Requirement 10: Track and Monitor all access to network and cardholder data
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 32
Event is also logged in CS-MARSFor yourreference
© 2008 Cisco Systems, Inc. All rights reserved. 33
CS-MARS Events for PCI/CobiTCompliance Tracking
Network Usage - Top Destination Ports
Network Usage Inbound - Top Ports
Network Usage Inbound - Top Destinations
Network Usage Outbound - Top Ports
Network Usage Outbound - Top Destinations
Denies Inbound - Top Destination Ports
Denies Inbound - Top Destinations
Denies Inbound - Top Sources
Denies Outbound - Top Destination Ports
Denies Outbound - Top Destinations
Denies Outbound - Top Sources
Attacks Prevented - Top Reporting Devices
Concurrent Connections - Top Devices
MARS ReportsDS 5.20 FW Architectures
1. Firewall
CobiTPCI
For yourreference
© 2008 Cisco Systems, Inc. All rights reserved. 34
PCI Requirement 11
� Regularly test security systems and processes
–Use a wireless analyzer at least quarterly to identif y all wireless devices in use
–Run internal and external network vulnerability scans at least quarterly and after any significant change in t he network
–Perform penetration testing at least once a year and af ter any significant upgrade or modification
–Use NIDS/IPS, HIDS/HIPS
–Deploy file integrity monitoring software to perform c ritical file comparisons at least weekly
© 2008 Cisco Systems, Inc. All rights reserved. 35
WAN
Credit cardstorage
Requirement 11: Regularly test security systems and processes
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
NCM/CAS
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSA
CSA CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 36
PCI Requirement 12
� Maintain a policy that addresses information security for employees and contractors
–Establish, publish, maintain, and disseminate a sec urity policy
–Develop usage policies for critical employee-facing technologies
–Implement a security awareness program
–Implement an incident response plan
–If cardholder data is shared with service providers, th e SP must adhere to the PCI DSS requirements
© 2008 Cisco Systems, Inc. All rights reserved. 37
WAN
Credit cardstorage
Requirement 12: Maintain a policy that addresses information security
Wireless device
REMOTE LOCATION INTERNETEDGE
Catalystswitch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
CSA
WAP
E-commerce
ASA
7200/7300
WAP
POS Cash Register
Mobile POS
POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
CSMACS
WAPASA
CSANCM/CAS
CSA CSA
ISR
IronPort
AXG AXG
© 2008 Cisco Systems, Inc. All rights reserved. 38
WAN
Credit cardstorage
Cisco Solution for PCI
Wireless device
REMOTE LOCATION INTERNETEDGE
ISR
� switch
ASA
6500/7600FWSM
CS-MARS
NAC
CSA
MAIN OFFICE
6500 switch
CSA
E-commerce
ASA
7300 router
WAP
POS Terminal POS Server
Store Worker PC
NETWORK MGMT CENTER
DATA CENTER
Cisco Security Management
ACS
WAP1200
ASA 5500
Cisco SecurityAgent (CSA)
Requirement 1Requirement 2Requirement 3
Requirement 4Requirement 5Requirement 6
Requirement 7Requirement 8Requirement 9
Requirement 10Requirement 11Requirement 12Requirement 12
��� ����
���
��
���
�����
�
� ��� �����
����
���
����
������ �
���
��� ����
�����
CSA
�
����CSA
�������
IronPort
AXG
AXG
��� �
��
���
NCM/CAS
����
�
������
© 2008 Cisco Systems, Inc. All rights reserved. 39
NCM PCI Requirement 2 status
© 2008 Cisco Systems, Inc. All rights reserved. 40
NCM Requirement 4 statusFor yourreference
© 2008 Cisco Systems, Inc. All rights reserved. 41
NCM Requirement 6 statusFor yourreference
© 2008 Cisco Systems, Inc. All rights reserved. 42
NCM Requirement 7, 8 statusFor yourreference
© 2008 Cisco Systems, Inc. All rights reserved. 43
NCM Requirement10 statusFor yourreference
© 2008 Cisco Systems, Inc. All rights reserved. 44
NCM Requirement 11 status
© 2008 Cisco Systems, Inc. All rights reserved. 45
NCM Requirement 12 statusFor yourreference
© 2008 Cisco Systems, Inc. All rights reserved. 46
Summary - Key Take Aways
� PCI is moving rapidly to global importance
� PCI Compliance encompasses Security Best Practices
� Work closely with Approved Scan Vendor and Qualified Security Assessor to understand expectations
� Use Cisco’s PCI Validated Architectures as a guide to ease design and implementation
© 2008 Cisco Systems, Inc. All rights reserved. 47
More Information
� Cisco Compliance informationhttp://www.cisco.com/go/compliance
http://www.cisco.com/go/retail
� VISA Cardholder Information Security Programhttp://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp
� MasterCard PCI Merchant Educationhttp://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html
� PCI Security Standards Councilhttps://www.pcisecuritystandards.org/
© 2008 Cisco Systems, Inc. All rights reserved. 48