11 Strategies to Deploy PCI Compliant Networks
2 likes1,400 views
The document outlines a webinar presented by Cradlepoint on achieving PCI compliance, detailing the PCI DSS requirements and importance for businesses that handle credit card data. It emphasizes the need for a comprehensive approach to compliance, highlighting customer pain points such as lack of expertise and the financial burden of the compliance process. Additionally, it discusses specific security standards, recommendations for system configurations, and ongoing monitoring to protect cardholder data.
11 Strategies to Deploy PCI Compliant Networks
- 1. Achieving PCI Compliance CradlePoint Webinar July 31, 2012 Global Leader in 4G Network Solutions Ken Hosac VP Business Development Rudy Cedillo Sr. Enterprise Support Engineer
- 2. Achieving PCI Compliance Agenda § CradlePoint Overview – Target market – Solu0on overview § Introduction to PCI Compliance – The standards framework – Business drivers – Compliance & monitoring – Customer pain-‐points § PCI-DSS Requirements & Recommendations – Goals & requirements – Valida0on methodology – CradlePoint recommenda0ons CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 2
- 3. CradlePoint Target Market Distributed Enterprise Retail Stores M2M: Kiosks & ATMs CradlePoint provides 3G/4G networking solu0ons to distributed enterprise Restaurants Branch Offices Convenience Stores CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
- 4. Connecting Distributed Enterprise through Wireless 4G/3G Solution Overview WiPipe Central On-‐Site Services Applica9on & Management Pla<orm Site Survey, Installa9on, Maintenance Network Administrator Enterprise Router Enterprise Bridge M2M Router for Small-‐Footprint Retail/Branch for Business Con0nuity for Connected Devices CradlePoint CradlePoint ARC CBA750 DSL ARC MBR1400 Modem Router Bridge CradlePoint M2M Router Existing Router Juniper, Cisco, etc CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 4
- 5. Overview of the PCI Standards Achieving PCI Compliance CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 5
- 6. Achieving PCI Compliance PCI Security Standards § Background § Business Drivers – Objec0ve is to protect cardholder data – Companies that fail to comply are – Required for any company that stores, subject to fines, lawsuits, and can processes or transmits credit card info even be banned from processing – Founded by 5 major financial brands, credit cards. including: – Companies that are breached can § AmEx, Discovery, JCB, MasterCard, Visa find themselves in the news – Par0cipants include hundreds of headlines, significantly impac0ng industry en00es goodwill with customers, partners and shareholders. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 6
- 7. Achieving PCI Compliance PCI Security Standards (continued) § PCI-SSC publishes three standards – PCI-‐DSS (PCI Data Security Standards): Applies to any en0ty that stores, processes, and/or transmits cardholder data. The standard covers technical and opera0onal components include in or connected to cardholder data. If a business accepts or processes payment cards, it must comply with the PCI DSS. – PTS (PIN Transac0on Security Requirements): Applies to manufacturers who develop PIN (personal iden0fica0on number) entry terminals used for payment card financial transac0ons. – PA-‐DSS (Payment Applica0on Data Security Standards): Applies to so_ware developers and integrators of applica0ons that store, process or transmit cardholder data as part of authoriza0on or sealement. § Acronyms – PCI = Payment Card Industry – SSC = Security Standards Council – DSS = Data Security Standards – CDE = Cardholder Data Environment – PAN = Personal Account Number CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 7
- 8. Achieving PCI Compliance PCI Security Standards (continued) § Initial Certification Process – External audits or self-‐cer0fica0on, based on company size – Smaller merchants are able to self-‐cer0fy through a Self-‐Assessment Ques0onnaire (SAQ) – Larger enterprises must u0lize a PCI-‐qualified assessor such as a QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor). § Ongoing Monitoring Process – The merchant must con0nually monitor and update their system in order to maintain compliance. – This includes: § On-‐going monitoring and tes0ng of network resources § Regular reviews of system logs and access § Ensuring that device configura0ons and security policies are locked down and can’t be changed without authoriza0on § All cri0cal systems have the most recently-‐released so_ware patches within one month to protect against exploita0on by malicious individuals, devices and so_ware CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 8
- 9. Achieving PCI Compliance Customer Pain Points § Lack of Expertise – Many companies do not have in-‐house exper0se – PCI Compliance can be a confusing and in0mida0ng process § Expense – The process for obtaining and maintaining PCI-‐compliance is expensive and burdensome. – PCI Compliance audi0ng is o_en an expensive, manual process § Liability – Companies that fail to comply with the PCI-‐DSS (Payment Card Industry, Data Security Standards) are subject to fines & lawsuits. – Companies that are breached can find themselves in the news headlines, significantly impac0ng goodwill with customers, partners and shareholders. § Business Continuity – Non-‐compliance can result in the customer being banned from processing credit cards. – CradlePoint’s largest customers have confirmed that PCI Compliance is one of the most fundamental underpinnings of their business CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 9
- 10. Achieving PCI Compliance Achieving PCI Compliance § Requires a System-Wide Approach – PCI compliance can only be obtained by the merchant . – PCI auditors analyze the merchant’s en0re system, including POS devices, network devices, servers, applica0ons, policies, & procedures. – The PCI-‐DSS requires that the merchant verify that all network equipment (including CradlePoint devices) is properly configured and managed for compliance. § Router Certification – There is no specific specifica0on to enable routers to become “PCI Compliant”. – CradlePoint conducts “PCI Penetra0on Tes0ng” to ensure that the routers can be confidently used in a PCI-‐Compliant environment. – CradlePoint devices do not store any of the data that flows through the device, especially credit card informa0on CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 10
- 11. Overview of PCI Requirements & Recommendations Achieving PCI Compliance CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 11
- 12. Achieving PCI Compliance CradlePoint Enablers § Application Guide – 80-‐page guide for IT professionals – Detailed review of each requirement – CradlePoint enablers – CradlePoint recommenda0ons CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 12
- 13. Achieving PCI Compliance PCI-DSS 2.0 Standards Goals Requirements 1) Install and maintain a firewall configuration to protect cardholder data. Build and Maintain a 2) Do not use vendor-supplied defaults for system passwords and other security Secure Network parameters. 3) Protect stored cardholder data. Protect Cardholder Data 4) Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability 5) Use and regularly update anti-virus software or programs. Management Program 6) Develop and maintain secure systems and applications. 7) Restrict access to cardholder data by business need to know. Implement Strong Access 8) Assign a unique ID to each person with computer access. Control Measures 9) Restrict physical access to cardholder data. Regularly Monitor and 10) Track and monitor all access to network resources and cardholder data. Test Networks 11) Regularly test security systems and processes. Maintain an Information 12) Maintain a policy that addresses information security for all personnel. Security Policy CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 13
- 14. Achieving PCI Compliance Requirement 1 Install & Maintain Firewalls Descrip0on Install and maintain a firewall configura0on to protect cardholder data. Goal Build and maintain a secure network. Requirements 1.1 Establish firewall and router configura0on standards. 1.2 Build firewall and router configura0ons that restrict connec0ons between untrusted networks and any system components in the CDE. 1.3 Prohibit direct public access between the Internet and any system component in the CDE. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 14
- 15. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint Recommenda0on Segment the Network into Security Zones CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 15
- 16. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint Recommenda0on Configure the Firewall § Stateful Packet Inspection – SPI is a firewall that monitors outgoing and incoming traffic to make sure that only valid responses to outgoing requests are allowed to pass though the router. – Proper configura0on hides your LAN from unauthorized external aaackers, so that the router does not respond to unsolicited incoming requests on any port. § Port Forwarding Rules – A port forwarding rule provides a controlled method of opening the firewall to address the needs of specific types of applica0ons. – Allows external traffic to reach a computer or device on the inside of the network. § Anti-Spoof – “Spoofed Addresses” are faked source addresses used by a malicious user to either hide themselves or to impersonate someone else. – Used to launch a network aaack without revealing the true source of the aaack. – Used to gain access to network services that are restricted to certain addresses. – An0-‐Spoof dynamically checks packets to iden0fy probable spoofing aaempts. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 16
- 17. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint Recommenda0on Configure the Firewall (continued) § Packet Normalization – Normalizing packets helps secure the router in untrusted environments. – It does so by "scrubbing“ packets that are ambiguous or might represent a break-‐in aaempt. § Static NAT Ports – If enabled, the source port does not translate inbound TCP and UDP packets during NAT. – Some NAT traversal protocols such as STUN(T) require that the source port stay the same when traversing the firewall. § DMZ Host – A De-‐Militarized Zone (DMZ ) host is purposely not firewalled. – Enables any computer on the internet to remotely access network services at that DMZ IP address. – Input the IP Address for the DMZ device to ensure that the IP address of the selected device remains consistent. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 17
- 18. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint Recommenda0on Lock Down the Router Entry Points § Disable UPnP – UPnP (Universal Plug and Play) is a set of networking protocols standardized by the UPnP Forum – Enables clients to determine network configura0on and configure the network to allow traffic through the firewall without direct user interac0on. – UPnP can simplify the use of consumer devices and other applica0ons that require network configura0on, – UPnP can also allow unprivileged users to manipulate network configura0on. § Disable WAN Pings – When disabled, the router does not respond to ping requests from external WAN clients. – This is o_en used by hackers to probe security vulnerabili0es. § Use MAC Filtering – The MAC Filter allows you to create a list of devices that have either exclusive access (white list) or no access (black list) to your wireless LAN. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 18
- 19. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint Recommenda0on Lock Down the Router Entry Points (continued) § Use IP Filter Rules – "Incoming" IP filter rules restricts remote access to computers on your local network. – "Outgoing" IP filter rules prevent computers on your local network from ini0a0ng communica0on to the address range specified in the rule. – This feature is especially useful when combined with port forwarding and/or DMZ to restrict remote access to a specified host or network range. – With an incoming IP filter rule, you can restrict the access to your LAN to only the specific computers or devices authorized to be on the network. § Disable Remote Administration – This prevents external users from accessing the router administra0on web UI through the WAN. – CradlePoint recommends using WiPipe Central to manage the routers, since it u0lizes a secure device-‐ini0ated protocol that is less vulnerable to hacking. – If you decide that you do want to enable remote admin access, be sure to configure it to require HTTPS on a non-‐standard port. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 19
- 20. Achieving PCI Compliance Requirement 2 Don’t Use Vendor-Supplied Defaults Descrip0on Do not use vendor-‐supplied defaults for system passwords and other security parameters Goal Build and maintain a secure network. Requirements 2.1 Always change vendor-‐supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimina0on of unnecessary accounts. 2.2 Develop configura0on standards for all system components. Assure that these standards address all known security vulnerabili0es and are consistent with industry-‐accepted system hardening standards. 2.3 Encrypt all non-‐console administra0ve access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-‐based management and other non-‐console administra0ve access. 2.4 Shared hos0ng providers must protect each en0ty’s hosted environment and cardholder data. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 20
- 21. Achieving PCI Compliance Build and Maintain a Secure Network R-2) Do not use vendor-supplied defaults for system passwords CradlePoint Recommenda0on Change the Default Passwords § CP’s Enhanced Password Protection – For out-‐of-‐box security, CradlePoint products do not ship with a generic default password. – Each router has a unique password that u0lizes a por0on of the router’s MAC address. § PCI-DSS Still Requires Pwd Change – PCI-‐DSS Requirement 2.1 requires that the merchant change the default password on the router. – Even though the CradlePoint passwords are unique to each individual router, CradlePoint recommends that the customer select a new unique password for each device that is only known to system administrators with a need-‐to-‐know. § WiPipe Central – Enables password management from a centralized loca0on, elimina0ng the need to log into each router to change the password. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 21
- 22. Achieving PCI Compliance Requirement 3 Protect Stored Cardholder Data Descrip0on Protect stored cardholder data Goal Protect stored cardholder data Requirements 3.1 Keep cardholder data storage to a minimum by implemen0ng data reten0on and disposal policies, procedures and processes. 3.2 Do not store sensi0ve authen0ca0on data a_er authoriza0on (even if encrypted). 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs). 3.5 Protect any keys used to secure cardholder data against disclosure and misuse. 3.6 Fully document and implement all key-‐management processes and procedures for cryptographic keys used for encryp0on of cardholder data. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 22
- 23. Achieving PCI Compliance Protect Cardholder Data R-3) Protect stored cardholder data. CradlePoint Recommenda0on Minimize Resources within CDE Network Segment § Network Segmentation – Par00on network resources into individual “Network Segments”, such as: – Resources on one network segment are securely par00oned from other segments – Enables a single router & WAN to be used for mul0ple purposes § Resource Assignment – Each network segment can be assigned individual network resources, including: § Ethernet ports § WiFi SSIDs § VLANs – Each Network Segment can be configured with its own § IP Address configura0on (sta0c, dynamic, range) § Rou0ng Mode (NAT, non-‐NAT, Public Hotspot/Cap0ve Portal) § Access Control (Admin Access, LAN Isola0on, etc) § Interfaces (choose from WiFi SSIDs, Ethernet Groups and VLANs) CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 23
- 24. Achieving PCI Compliance Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks. Requirement 4 Encrypt Transmission of Cardholder Data Descrip0on Encrypt transmission of cardholder data across open, public networks. Goal Protect cardholder data Requirements 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensi0ve cardholder data during transmission over open, public networks. 4.2 Never send unprotected PANs by end-‐user messaging technologies (for example, e-‐ mail, instant messaging, chat, etc.). Note: § The use of WEP as a security control was prohibited as of 30 June 2010. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 24
- 25. Achieving PCI Compliance Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks. CradlePoint Recommenda0on Create Secure WAN Connectivity § Virtual Private Network (VPN) – VPN tunnels are used to establish a secure connec0on to a remote network over a public network. – For example, VPN tunnels can be used across the internet by an individual store loca0on to connect to the corporate data center or by two individual store loca0ons to func0on as if connected with one network. – The two networks set up a secure connec0on across the (normally) unsecure internet by assigning VPN encryp0on protocols. § Generic Routing Encapsulation (GRE) – GRE tunnels can be used to create a connec0on between two private networks. – CradlePoint routers support both GRE and VPN tunnels. – GRE tunnels are simpler to configure and more flexible for different kinds of packet exchanges, but VPN tunnels are much more secure. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 25
- 26. Achieving PCI Compliance Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks. CradlePoint Recommenda0on Create Secure WAN Connectivity (continued) § Internet Protocol security (IPsec) – CradlePoint routers uses IPsec (Internet Protocol security) to authen0cate and encrypt packets exchanged across the tunnel. – To set up a VPN tunnel with a CradlePoint router on one end, there must be another device (usually a router) that also supports IPsec on the other end. § Internet Key Exchange (IKE) – IKE is the security protocol in IPsec. – IKE has two phases, Phase 1 and Phase 2. – CradlePoint routers have several different security protocol op0ons for each phase, but the default selec0ons will be sufficient for most users. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 26
- 27. Achieving PCI Compliance Requirement 5 Use Anti-Virus Software Descrip0on Use and regularly update an0-‐virus so_ware or programs. Goal Maintain a vulnerability management program. Requirements 5.1 Deploy an0-‐virus so_ware on all systems commonly affected by malicious so_ware (par0cularly personal computers and servers). 5.2 Ensure that all an0-‐virus mechanisms are current, ac0vely running, and genera0ng audit logs. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 27
- 28. Achieving PCI Compliance Requirement 6 Develop & Maintain Secure Systems & Apps Descrip0on Develop and maintain secure systems and applica0ons. Goal Maintain a vulnerability management program. Requirements 6.1 Ensure that all system components and so_ware are protected from known vulnerabili0es by having the latest vendor-‐supplied security patches installed. Install cri0cal security patches within one month of release. 6.2 Establish a process to iden0fy and assign a risk ranking to newly discovered security vulnerabili0es. 6.3 Develop so_ware applica0ons in accordance with PCI DSS and based on industry best prac0ces. 6.4 Follow change control processes & procedures for all changes to system components. 6.5 Develop applica0ons based on secure coding guidelines. Prevent common coding vulnerabili0es in so_ware development. 6.6 For public-‐facing web applica0ons, address new threats and vulnerabili0es on an ongoing basis and ensure these applica0ons are protected against known aaacks. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 28
- 29. Achieving PCI Compliance Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications. CradlePoint Recommenda0on Keep Device Firmware Updated with WiPipe Central § Rationale – Hackers use security vulnerabili0es to gain privileged access to systems. – The PCI-‐DSS 2.0 document recognizes that providers of system component (including network devices) regularly test for new vulnerabili0es. – Component providers regularly issues so_ware upgrades to address these issues. § PCI Requirement 6.1 – Mandates that all cri0cal systems must have the most recently released, appropriate so_ware patches to protect against exploita0on and compromise of cardholder data by malicious individuals and malicious so_ware. – Requires that cri0cal so_ware patches must be installed within 1 month of release. § WiPipe Central – Firmware Management – WiPipe Central enables each device group to have a firmware version selected to be used on all devices in the group. – Network administrators can choose the firmware version for a given group to use by selec0ng it from the list. – The facility allows the firmware version to be downgraded as well as upgraded. – If any devices are upgraded, either accidentally or without authoriza0on, WiPipe Central will automa0cally reverse the upgrade. CradlePoint P– x and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. roprietary 29
- 30. Achieving PCI Compliance Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications. CradlePoint Recommenda0on Lock Down the Configuration with WiPipe Central § Centralized Configuration Management – Enables group management of deployed routers – Group configura0on ensures that routers are consistently configured – Enables central control of device configura0on § Prevent Unauthorized Changes – If individual router configura0ons are accidentally or maliciously changed, WiPipe Central detects and reverses the change – Enables administrators to ensure that router configura0ons are “locked down”. § Require Changes to be made through WiPipe Central – Creates and audit log for access & control CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 30
- 31. Achieving PCI Compliance Requirement 7 Restrict Access to Cardholder Data Descrip0on Restrict access to cardholder data by business need to know. Goal Implement strong access control measures. Requirements 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.2 Establish an access control system for systems components with mul0ple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 31
- 32. Achieving PCI Compliance Requirement 8 Assign Unique IDs to Each Person w/ Access Descrip0on Assign a unique ID to each person with computer access. Goal Implement strong access control measures. Requirements 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. 8.2 In addi0on to assigning a unique ID, employ methods to authen0cate all users: password or passphrase, token device or smart card, biometric. 8.3 Incorporate two-‐factor authen0ca0on for remote access (network-‐level access origina0ng from outside the network) to the network by employees, administrators, and third par0es. 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography. 8.5 Ensure proper user iden0fica0on and authen0ca0on management for non-‐ consumer users and administrators on all system components. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 32
- 33. Achieving PCI Compliance Requirement 9 Restrict Physical Access to Cardholder Data Descrip0on Restrict physical access to cardholder data Goal Implement strong access control measures. Requirements 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. 9.2 Develop procedures to easily dis0nguish between onsite personnel and visitors, especially in areas where cardholder data is accessible. 9.3 Make sure all visitors are authorized, given a badge, and badge collected on exit. 9.4 Use a visitor log to maintain a physical audit trail of visitor ac0vity. 9.5 Store media back-‐ups in a secure loca0on, preferably an off-‐site facility, such as an alternate or back-‐up site, or a commercial storage facility. Review the loca0on’s security. 9.6 Physically secure all media. 9.7 Maintain strict control over the internal or external distribu0on of any kind of media. 9.8 Ensure management approves any and all media that is moved from a secured area 9.9 Maintain strict control over the storage and accessibility of media. 9.10 Destroy media when it is no longer needed for business or legal reasons. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 33
- 34. Achieving PCI Compliance Requirement 10 Regularly Monitor and Test Networks Descrip0on Regularly monitor and test networks. Goal Track and monitor all access to network resources and cardholder data. Requirements 10.1 Establish a process for linking all access to system components (especially access done with administra0ve privileges such as root) to each individual user. 10.2 Implement automated audit trails for all system components to reconstruct the various important events named in the Requirements. 10.3 Record audit trail entries for all system components for each event as defined. 10.4 Using 0me-‐synch technology, synchronize all cri0cal system clocks & 0mes and ensure that the following is implemented for acquiring, distribu0ng, & storing 0me. 10.5 Secure audit trails so they cannot be altered. 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security func0ons like intrusion-‐detec0on system (IDS) and authen0ca0on, authoriza0on, and accoun0ng protocol (AAA) servers. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (ie, online, archived, or restorable from back-‐up). CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 34
- 35. Achieving PCI Compliance Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data. CradlePoint Recommenda0on Utilize an External SysLog Server § System Logs as an Audit Trail – The router automa0cally logs (records) events of possible interest in its internal memory. – The log op0ons allow you to filter the router logs based on categories, allowing customiza0on of the types and level of events to record and the level of events to view. – System logs are can be used to iden0fy § Unauthorized login aaempts § Unauthorized configura0on changes § Penetra0on aaempts § Security aaacks § Persistence Preserves the Audit Trail – U0lize the WiPipe Central to centrally synchronize and store the system logs. – Alterna0vely, the router can be configured to communicate with an external Syslog Server CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 35
- 36. Achieving PCI Compliance Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data. CradlePoint Recommenda0on Utilize an External Time Server § Time Synchronization – Configure routers to communicate with an external Time server – Makes it more difficult to change system logs or hide aaacks – Network Time Protocol (NTP) enables the router to synchronize its system 0me with a remote server on the internet. – NTP is an important part of using System Logs to accurately monitor PCI Compliance. § NTP Server Options – pool.ntp.org – 0me.nist.gov – 0me-‐windows.com CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 36
- 37. Achieving PCI Compliance Requirement 11 Test Security Systems and Processes Descrip0on Regularly test security systems and processes. Goal Track and monitor all access to network resources and cardholder data. Requirements 11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. 11.2 Run internal and external network vulnerability scans at least quarterly and a_er any significant change in the network (such as new system component installa0ons, changes in network topology, firewall rule modifica0ons, product upgrades). 11.3 Perform external and internal penetra0on tes0ng at least once a year and a_er any significant infrastructure or applica0on upgrade or modifica0on. 11.4 Use intrusion-‐detec0on systems, and/or intrusion-‐preven0on systems to monitor all traffic at the perimeter of the CDE as well as at cri0cal points inside of the CDE, and alert personnel to suspected compromises. 11.5 Deploy file-‐integrity monitoring tools to alert personnel to unauthorized modifica0on of cri0cal system files, configura0on files, or content files; and configure the so_ware to perform cri0cal file comparisons at least weekly. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 37
- 38. Achieving PCI Compliance Requirement 12 Information Security Policy for Personnel Descrip0on Maintain a policy that addresses informa0on security for all personnel. Goal Maintain an informa0on security policy. Requirements 12.1 Establish, publish, maintain, and disseminate a security policy. 12.2 Develop daily opera0onal security procedures. 12.3 Develop usage policies for cri0cal technologies (for example, remote access, wireless) and define proper use of these technologies. 12.4 Ensure that the security policy and procedures clearly define informa0on security responsibili0es for all personnel. 12.5 Assign to an individual or team defined informa0on security management responsibili0es: 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. 12.7 Screen poten0al personnel prior to hire to minimize the risk of aaacks from internal sources. 12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 38
- 39. Achieving PCI Compliance Summary of Recommendations § Step 1: Segment the network into individual “security zones” § Step 2: Configure the firewall § Step 3: Lock down the router entry points § Step 4: Change the default passwords § Step 5: Minimize resources within CDE network segment § Step 6: Create secure WAN connec0vity § Step 7: Keep device updated with the latest firmware using WPC § Step 8: Lock down the configura0on with WiPipe Central § Step 9: Configure communica0on with an external SysLog server § Step 10: Configure communica0on with an external Time server § Step 11: Monitor PCI Compliance with WiPipe Central CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 39
- 40. Achieving PCI Compliance Achieving PCI Compliance § CradlePoint Enablers for PCI Compliance – CradlePoint routers provide several features to enable compliance with the PCI-‐DSS 2.0 requirements – PCI Compliance requires routers to be properly configured, monitored & maintained. – WiPipe Central’s PCI Compliance Monitoring applica0on enables customers to demonstrate compliance in real-‐0me, not just for the quarterly or annual audits. § CradlePoint can Help – The “CradlePoint Enablers for a PCI Complaint System” applica0on note provides details regarding CradlePoint features and capabili0es that have been used by other customers to help achieve PCI Compliance for their end-‐to-‐end systems. – CradlePoint professional services can guide customers through the installa0on, configura0on and monitoring process § Proven Success – CradlePoint devices are u0lized in several large-‐scale, PCI-‐compliant deployments. CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 40
- 41. Questions? Ken Hosac VP Business Development Rudy Cedillo Sr. Enterprise Support Engineer webinars@cradlepoint.com www.CradlePoint.com www.cradlepoint.com/ 4g-‐3g-‐network-‐solu0ons/ www.cradlepoint.com www.cradlepoint.com/WiPipe case-‐studies CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 41
- 42. Achieving PCI Compliance Key Solution Features for PCI Compliance § PCI Compliance Monitoring § De-‐Militarized Zone (DMZ) applica0on for WiPipe Central, to § Virtual Server manage configura0on, firmware updates and monitor usage. § Ability to disable WAN services (ping, WNMP, web-‐based mgmt, etc) § Network Segmenta0on (Ethernet, SSID and VLAN) § MAC filtering § Ethernet ports (4) that can be § Session filtering (non-‐UDP/TCP/ individually assigned to specific ICMP) segments § Layer 2 Tunneling Protocol (L2TP) § WiFi SSIDs (4) that can be § VPN Client with support for up to 20 individually secured and assigned to tunnels (product-‐specific) specific segments § IPSec § Virtual LAN support and tagging § GRE (VLAN) § WiFi security (WPA/WPA2 Personal/ § Stateful Packet Inspec0on (SPI) Enterprise, AES/TKIP) § Network Address Transla0on (NAT) § RADIUS user authen0ca0on on WiFi § Applica0on Level Gateways (ALG) § SysLog support § Inbound filtering of IP addresses § Aler0ng CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce. 42