Upload
cradlepoint
View
668
Download
0
Embed Size (px)
DESCRIPTION
Companies that store, process, or transmit credit card information must comply with the Payment Card Industry Data Security Standard (PCI-DSS). Failure to comply can result in fines, lawsuits, and even bans from processing credit cards. Even worse, companies that are breached can find themselves in the news headlines, significantly impacting goodwill with customers, partners, and shareholders.
Citation preview
Achieving PCI Compliance CradlePoint Webinar
July 31, 2012
Global Leader in 4G Network Solutions
Ken Hosac VP Business Development
Rudy Cedillo Sr. Enterprise Support Engineer
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ CradlePoint Overview – Target market – Solu0on overview
§ Introduction to PCI Compliance – The standards framework – Business drivers – Compliance & monitoring – Customer pain-‐points
§ PCI-DSS Requirements & Recommendations – Goals & requirements – Valida0on methodology – CradlePoint recommenda0ons
Agenda Achieving PCI Compliance
2
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Distributed Enterprise CradlePoint Target Market
M2M: Kiosks & ATMs
Convenience Stores
Restaurants Branch Offices
Retail Stores
CradlePoint provides 3G/4G networking solu0ons to distributed enterprise
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Solution Overview Connecting Distributed Enterprise through Wireless 4G/3G
4
CradlePoint M2M Router
M2M Router for Connected Devices
Existing Router Juniper, Cisco, etc
DSL Modem
CradlePoint ARC CBA750
Bridge
Enterprise Bridge for Business Con0nuity
Network Administrator
WiPipe Central Applica9on & Management Pla<orm
On-‐Site Services Site Survey, Installa9on, Maintenance
Enterprise Router for Small-‐Footprint Retail/Branch
CradlePoint ARC MBR1400
Router
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Overview of the PCI Standards Achieving PCI Compliance
5
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
PCI Security Standards Achieving PCI Compliance
6
§ Background – Objec0ve is to protect cardholder data – Required for any company that stores, processes or transmits credit card info
– Founded by 5 major financial brands, including: § AmEx, Discovery, JCB, MasterCard, Visa
– Par0cipants include hundreds of industry en00es
§ Business Drivers – Companies that fail to comply are subject to fines, lawsuits, and can even be banned from processing credit cards.
– Companies that are breached can find themselves in the news headlines, significantly impac0ng goodwill with customers, partners and shareholders.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ PCI-SSC publishes three standards – PCI-‐DSS (PCI Data Security Standards): Applies to any en0ty that stores, processes, and/or transmits cardholder data. The standard covers technical and opera0onal components include in or connected to cardholder data. If a business accepts or processes payment cards, it must comply with the PCI DSS.
– PTS (PIN Transac0on Security Requirements): Applies to manufacturers who develop PIN (personal iden0fica0on number) entry terminals used for payment card financial transac0ons.
– PA-‐DSS (Payment Applica0on Data Security Standards): Applies to so_ware developers and integrators of applica0ons that store, process or transmit cardholder data as part of authoriza0on or sealement.
§ Acronyms – PCI = Payment Card Industry – SSC = Security Standards Council – DSS = Data Security Standards – CDE = Cardholder Data Environment – PAN = Personal Account Number
PCI Security Standards (continued) Achieving PCI Compliance
7
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Initial Certification Process – External audits or self-‐cer0fica0on, based on company size – Smaller merchants are able to self-‐cer0fy through a Self-‐Assessment Ques0onnaire (SAQ)
– Larger enterprises must u0lize a PCI-‐qualified assessor such as a QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor).
§ Ongoing Monitoring Process – The merchant must con0nually monitor and update their system in order to maintain compliance.
– This includes: § On-‐going monitoring and tes0ng of network resources § Regular reviews of system logs and access § Ensuring that device configura0ons and security policies are locked down and can’t be changed without authoriza0on
§ All cri0cal systems have the most recently-‐released so_ware patches within one month to protect against exploita0on by malicious individuals, devices and so_ware
PCI Security Standards (continued)
Achieving PCI Compliance
8
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Lack of Expertise – Many companies do not have in-‐house exper0se – PCI Compliance can be a confusing and in0mida0ng process
§ Expense – The process for obtaining and maintaining PCI-‐compliance is expensive and burdensome.
– PCI Compliance audi0ng is o_en an expensive, manual process
§ Liability – Companies that fail to comply with the PCI-‐DSS (Payment Card Industry, Data Security Standards) are subject to fines & lawsuits.
– Companies that are breached can find themselves in the news headlines, significantly impac0ng goodwill with customers, partners and shareholders.
§ Business Continuity – Non-‐compliance can result in the customer being banned from processing credit cards.
– CradlePoint’s largest customers have confirmed that PCI Compliance is one of the most fundamental underpinnings of their business
Customer Pain Points Achieving PCI Compliance
9
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Requires a System-Wide Approach – PCI compliance can only be obtained by the merchant . – PCI auditors analyze the merchant’s en0re system, including POS devices, network devices, servers, applica0ons, policies, & procedures.
– The PCI-‐DSS requires that the merchant verify that all network equipment (including CradlePoint devices) is properly configured and managed for compliance.
§ Router Certification – There is no specific specifica0on to enable routers to become “PCI Compliant”. – CradlePoint conducts “PCI Penetra0on Tes0ng” to ensure that the routers can be confidently used in a PCI-‐Compliant environment.
– CradlePoint devices do not store any of the data that flows through the device, especially credit card informa0on
Achieving PCI Compliance Achieving PCI Compliance
10
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Overview of PCI Requirements & Recommendations Achieving PCI Compliance
11
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
CradlePoint Enablers Achieving PCI Compliance
12
§ Application Guide – 80-‐page guide for IT professionals – Detailed review of each requirement – CradlePoint enablers – CradlePoint recommenda0ons
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
PCI-DSS 2.0 Standards Achieving PCI Compliance
13
Goals Requirements
Build and Maintain a Secure Network
1) Install and maintain a firewall configuration to protect cardholder data. 2) Do not use vendor-supplied defaults for system passwords and other security
parameters.
Protect Cardholder Data 3) Protect stored cardholder data. 4) Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
5) Use and regularly update anti-virus software or programs. 6) Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7) Restrict access to cardholder data by business need to know. 8) Assign a unique ID to each person with computer access. 9) Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10) Track and monitor all access to network resources and cardholder data. 11) Regularly test security systems and processes.
Maintain an Information Security Policy 12) Maintain a policy that addresses information security for all personnel.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 1 Install & Maintain Firewalls
Achieving PCI Compliance
14
Descrip0on Install and maintain a firewall configura0on to protect cardholder data.
Goal Build and maintain a secure network.
Requirements 1.1 Establish firewall and router configura0on standards.
1.2 Build firewall and router configura0ons that restrict connec0ons between untrusted networks and any system components in the CDE.
1.3 Prohibit direct public access between the Internet and any system component in the CDE.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
CradlePoint Recommenda0on Segment the Network into Security Zones
Achieving PCI Compliance
15
Build and Maintain a Secure Network R-1) Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Stateful Packet Inspection – SPI is a firewall that monitors outgoing and incoming traffic to make sure that only valid responses to outgoing requests are allowed to pass though the router.
– Proper configura0on hides your LAN from unauthorized external aaackers, so that the router does not respond to unsolicited incoming requests on any port.
§ Port Forwarding Rules – A port forwarding rule provides a controlled method of opening the firewall to address the needs of specific types of applica0ons.
– Allows external traffic to reach a computer or device on the inside of the network.
§ Anti-Spoof – “Spoofed Addresses” are faked source addresses used by a malicious user to either hide themselves or to impersonate someone else.
– Used to launch a network aaack without revealing the true source of the aaack. – Used to gain access to network services that are restricted to certain addresses. – An0-‐Spoof dynamically checks packets to iden0fy probable spoofing aaempts.
CradlePoint Recommenda0on Configure the Firewall
Achieving PCI Compliance
16
Build and Maintain a Secure Network R-1) Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Packet Normalization – Normalizing packets helps secure the router in untrusted environments. – It does so by "scrubbing“ packets that are ambiguous or might represent a break-‐in aaempt.
§ Static NAT Ports – If enabled, the source port does not translate inbound TCP and UDP packets during NAT.
– Some NAT traversal protocols such as STUN(T) require that the source port stay the same when traversing the firewall.
§ DMZ Host – A De-‐Militarized Zone (DMZ ) host is purposely not firewalled. – Enables any computer on the internet to remotely access network services at that DMZ IP address.
– Input the IP Address for the DMZ device to ensure that the IP address of the selected device remains consistent.
CradlePoint Recommenda0on Configure the Firewall (continued)
Achieving PCI Compliance
17
Build and Maintain a Secure Network R-1) Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Disable UPnP – UPnP (Universal Plug and Play) is a set of networking protocols standardized by the UPnP Forum
– Enables clients to determine network configura0on and configure the network to allow traffic through the firewall without direct user interac0on.
– UPnP can simplify the use of consumer devices and other applica0ons that require network configura0on,
– UPnP can also allow unprivileged users to manipulate network configura0on.
§ Disable WAN Pings – When disabled, the router does not respond to ping requests from external WAN clients.
– This is o_en used by hackers to probe security vulnerabili0es. § Use MAC Filtering – The MAC Filter allows you to create a list of devices that have either exclusive access (white list) or no access (black list) to your wireless LAN.
CradlePoint Recommenda0on Lock Down the Router Entry Points
Achieving PCI Compliance
18
Build and Maintain a Secure Network R-1) Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Use IP Filter Rules – "Incoming" IP filter rules restricts remote access to computers on your local network.
– "Outgoing" IP filter rules prevent computers on your local network from ini0a0ng communica0on to the address range specified in the rule.
– This feature is especially useful when combined with port forwarding and/or DMZ to restrict remote access to a specified host or network range.
– With an incoming IP filter rule, you can restrict the access to your LAN to only the specific computers or devices authorized to be on the network.
§ Disable Remote Administration – This prevents external users from accessing the router administra0on web UI through the WAN.
– CradlePoint recommends using WiPipe Central to manage the routers, since it u0lizes a secure device-‐ini0ated protocol that is less vulnerable to hacking.
– If you decide that you do want to enable remote admin access, be sure to configure it to require HTTPS on a non-‐standard port.
CradlePoint Recommenda0on Lock Down the Router Entry Points (continued)
Achieving PCI Compliance
19
Build and Maintain a Secure Network R-1) Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 2 Don’t Use Vendor-Supplied Defaults
Achieving PCI Compliance
20
Descrip0on Do not use vendor-‐supplied defaults for system passwords and other security parameters
Goal Build and maintain a secure network.
Requirements 2.1 Always change vendor-‐supplied defaults before installing a system on the network,
including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimina0on of unnecessary accounts.
2.2 Develop configura0on standards for all system components. Assure that these standards address all known security vulnerabili0es and are consistent with industry-‐accepted system hardening standards.
2.3 Encrypt all non-‐console administra0ve access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-‐based management and other non-‐console administra0ve access.
2.4 Shared hos0ng providers must protect each en0ty’s hosted environment and cardholder data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ CP’s Enhanced Password Protection – For out-‐of-‐box security, CradlePoint products do not ship with a generic default password.
– Each router has a unique password that u0lizes a por0on of the router’s MAC address.
§ PCI-DSS Still Requires Pwd Change – PCI-‐DSS Requirement 2.1 requires that the merchant change the default password on the router.
– Even though the CradlePoint passwords are unique to each individual router, CradlePoint recommends that the customer select a new unique password for each device that is only known to system administrators with a need-‐to-‐know.
§ WiPipe Central – Enables password management from a centralized loca0on, elimina0ng the need to log into each router to change the password.
CradlePoint Recommenda0on Change the Default Passwords
Achieving PCI Compliance
21
Build and Maintain a Secure Network R-2) Do not use vendor-supplied defaults for system passwords
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 3 Protect Stored Cardholder Data
Achieving PCI Compliance
22
Descrip0on Protect stored cardholder data
Goal Protect stored cardholder data
Requirements 3.1 Keep cardholder data storage to a minimum by implemen0ng data reten0on and
disposal policies, procedures and processes. 3.2 Do not store sensi0ve authen0ca0on data a_er authoriza0on (even if encrypted). 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number
of digits to be displayed). 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media,
backup media, and in logs). 3.5 Protect any keys used to secure cardholder data against disclosure and misuse. 3.6 Fully document and implement all key-‐management processes and procedures for
cryptographic keys used for encryp0on of cardholder data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Network Segmentation – Par00on network resources into individual “Network Segments”, such as: – Resources on one network segment are securely par00oned from other segments – Enables a single router & WAN to be used for mul0ple purposes
§ Resource Assignment – Each network segment can be assigned individual network resources, including:
§ Ethernet ports § WiFi SSIDs § VLANs
– Each Network Segment can be configured with its own § IP Address configura0on (sta0c, dynamic, range) § Rou0ng Mode (NAT, non-‐NAT, Public Hotspot/Cap0ve Portal) § Access Control (Admin Access, LAN Isola0on, etc) § Interfaces (choose from WiFi SSIDs, Ethernet Groups and VLANs)
CradlePoint Recommenda0on Minimize Resources within CDE Network Segment
Achieving PCI Compliance
23
Protect Cardholder Data R-3) Protect stored cardholder data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 4 Encrypt Transmission of Cardholder Data
Achieving PCI Compliance
24
Descrip0on Encrypt transmission of cardholder data across open, public networks.
Goal Protect cardholder data
Requirements 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH,
etc.) to safeguard sensi0ve cardholder data during transmission over open, public networks.
4.2 Never send unprotected PANs by end-‐user messaging technologies (for example, e-‐mail, instant messaging, chat, etc.).
Note: § The use of WEP as a security control was prohibited as of 30 June 2010.
Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Virtual Private Network (VPN) – VPN tunnels are used to establish a secure connec0on to a remote network over a public network.
– For example, VPN tunnels can be used across the internet by an individual store loca0on to connect to the corporate data center or by two individual store loca0ons to func0on as if connected with one network.
– The two networks set up a secure connec0on across the (normally) unsecure internet by assigning VPN encryp0on protocols.
§ Generic Routing Encapsulation (GRE) – GRE tunnels can be used to create a connec0on between two private networks. – CradlePoint routers support both GRE and VPN tunnels. – GRE tunnels are simpler to configure and more flexible for different kinds of packet exchanges, but VPN tunnels are much more secure.
CradlePoint Recommenda0on Create Secure WAN Connectivity
Achieving PCI Compliance
25
Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Internet Protocol security (IPsec) – CradlePoint routers uses IPsec (Internet Protocol security) to authen0cate and encrypt packets exchanged across the tunnel.
– To set up a VPN tunnel with a CradlePoint router on one end, there must be another device (usually a router) that also supports IPsec on the other end.
§ Internet Key Exchange (IKE) – IKE is the security protocol in IPsec. – IKE has two phases, Phase 1 and Phase 2. – CradlePoint routers have several different security protocol op0ons for each phase, but the default selec0ons will be sufficient for most users.
CradlePoint Recommenda0on Create Secure WAN Connectivity (continued)
Achieving PCI Compliance
26
Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 5 Use Anti-Virus Software
Achieving PCI Compliance
27
Descrip0on Use and regularly update an0-‐virus so_ware or programs.
Goal Maintain a vulnerability management program.
Requirements 5.1 Deploy an0-‐virus so_ware on all systems commonly affected by malicious so_ware
(par0cularly personal computers and servers). 5.2 Ensure that all an0-‐virus mechanisms are current, ac0vely running, and genera0ng
audit logs.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 6 Develop & Maintain Secure Systems & Apps
Achieving PCI Compliance
28
Descrip0on Develop and maintain secure systems and applica0ons.
Goal Maintain a vulnerability management program.
Requirements 6.1 Ensure that all system components and so_ware are protected from known
vulnerabili0es by having the latest vendor-‐supplied security patches installed. Install cri0cal security patches within one month of release.
6.2 Establish a process to iden0fy and assign a risk ranking to newly discovered security vulnerabili0es.
6.3 Develop so_ware applica0ons in accordance with PCI DSS and based on industry best prac0ces.
6.4 Follow change control processes & procedures for all changes to system components. 6.5 Develop applica0ons based on secure coding guidelines. Prevent common coding
vulnerabili0es in so_ware development. 6.6 For public-‐facing web applica0ons, address new threats and vulnerabili0es on an
ongoing basis and ensure these applica0ons are protected against known aaacks.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Rationale – Hackers use security vulnerabili0es to gain privileged access to systems. – The PCI-‐DSS 2.0 document recognizes that providers of system component (including network devices) regularly test for new vulnerabili0es.
– Component providers regularly issues so_ware upgrades to address these issues.
§ PCI Requirement 6.1 – Mandates that all cri0cal systems must have the most recently released, appropriate so_ware patches to protect against exploita0on and compromise of cardholder data by malicious individuals and malicious so_ware.
– Requires that cri0cal so_ware patches must be installed within 1 month of release.
§ WiPipe Central – Firmware Management – WiPipe Central enables each device group to have a firmware version selected to be used on all devices in the group.
– Network administrators can choose the firmware version for a given group to use by selec0ng it from the list.
– The facility allows the firmware version to be downgraded as well as upgraded. – If any devices are upgraded, either accidentally or without authoriza0on, WiPipe Central will automa0cally reverse the upgrade.
– x
CradlePoint Recommenda0on Keep Device Firmware Updated with WiPipe Central
Achieving PCI Compliance
29
Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Centralized Configuration Management – Enables group management of deployed routers – Group configura0on ensures that routers are consistently configured – Enables central control of device configura0on
§ Prevent Unauthorized Changes – If individual router configura0ons are accidentally or maliciously changed, WiPipe Central detects and reverses the change
– Enables administrators to ensure that router configura0ons are “locked down”.
§ Require Changes to be made through WiPipe Central – Creates and audit log for access & control
CradlePoint Recommenda0on Lock Down the Configuration with WiPipe Central
Achieving PCI Compliance
30
Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 7 Restrict Access to Cardholder Data
Achieving PCI Compliance
31
Descrip0on Restrict access to cardholder data by business need to know.
Goal Implement strong access control measures.
Requirements 7.1 Limit access to system components and cardholder data to only those individuals
whose job requires such access. 7.2 Establish an access control system for systems components with mul0ple users that
restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 8 Assign Unique IDs to Each Person w/ Access
Achieving PCI Compliance
32
Descrip0on Assign a unique ID to each person with computer access.
Goal Implement strong access control measures.
Requirements 8.1 Assign all users a unique ID before allowing them to access system components or
cardholder data. 8.2 In addi0on to assigning a unique ID, employ methods to authen0cate all users:
password or passphrase, token device or smart card, biometric. 8.3 Incorporate two-‐factor authen0ca0on for remote access (network-‐level access
origina0ng from outside the network) to the network by employees, administrators, and third par0es.
8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
8.5 Ensure proper user iden0fica0on and authen0ca0on management for non-‐consumer users and administrators on all system components.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 9 Restrict Physical Access to Cardholder Data
Achieving PCI Compliance
33
Descrip0on Restrict physical access to cardholder data
Goal Implement strong access control measures.
Requirements 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the
cardholder data environment. 9.2 Develop procedures to easily dis0nguish between onsite personnel and visitors, especially in
areas where cardholder data is accessible. 9.3 Make sure all visitors are authorized, given a badge, and badge collected on exit. 9.4 Use a visitor log to maintain a physical audit trail of visitor ac0vity. 9.5 Store media back-‐ups in a secure loca0on, preferably an off-‐site facility, such as an alternate
or back-‐up site, or a commercial storage facility. Review the loca0on’s security. 9.6 Physically secure all media. 9.7 Maintain strict control over the internal or external distribu0on of any kind of media. 9.8 Ensure management approves any and all media that is moved from a secured area 9.9 Maintain strict control over the storage and accessibility of media. 9.10 Destroy media when it is no longer needed for business or legal reasons.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 10 Regularly Monitor and Test Networks
Achieving PCI Compliance
34
Descrip0on Regularly monitor and test networks.
Goal Track and monitor all access to network resources and cardholder data.
Requirements 10.1 Establish a process for linking all access to system components (especially access
done with administra0ve privileges such as root) to each individual user. 10.2 Implement automated audit trails for all system components to reconstruct the
various important events named in the Requirements. 10.3 Record audit trail entries for all system components for each event as defined. 10.4 Using 0me-‐synch technology, synchronize all cri0cal system clocks & 0mes and
ensure that the following is implemented for acquiring, distribu0ng, & storing 0me. 10.5 Secure audit trails so they cannot be altered. 10.6 Review logs for all system components at least daily. Log reviews must include those
servers that perform security func0ons like intrusion-‐detec0on system (IDS) and authen0ca0on, authoriza0on, and accoun0ng protocol (AAA) servers.
10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (ie, online, archived, or restorable from back-‐up).
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ System Logs as an Audit Trail – The router automa0cally logs (records) events of possible interest in its internal memory.
– The log op0ons allow you to filter the router logs based on categories, allowing customiza0on of the types and level of events to record and the level of events to view.
– System logs are can be used to iden0fy § Unauthorized login aaempts § Unauthorized configura0on changes § Penetra0on aaempts § Security aaacks
§ Persistence Preserves the Audit Trail – U0lize the WiPipe Central to centrally synchronize and store the system logs. – Alterna0vely, the router can be configured to communicate with an external Syslog Server
CradlePoint Recommenda0on Utilize an External SysLog Server
Achieving PCI Compliance
35
Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ Time Synchronization – Configure routers to communicate with an external Time server – Makes it more difficult to change system logs or hide aaacks – Network Time Protocol (NTP) enables the router to synchronize its system 0me with a remote server on the internet.
– NTP is an important part of using System Logs to accurately monitor PCI Compliance.
§ NTP Server Options – pool.ntp.org – 0me.nist.gov – 0me-‐windows.com
CradlePoint Recommenda0on Utilize an External Time Server
Achieving PCI Compliance
36
Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 11 Test Security Systems and Processes
Achieving PCI Compliance
37
Descrip0on Regularly test security systems and processes.
Goal Track and monitor all access to network resources and cardholder data.
Requirements 11.1 Test for the presence of wireless access points and detect unauthorized wireless
access points on a quarterly basis. 11.2 Run internal and external network vulnerability scans at least quarterly and a_er
any significant change in the network (such as new system component installa0ons, changes in network topology, firewall rule modifica0ons, product upgrades).
11.3 Perform external and internal penetra0on tes0ng at least once a year and a_er any significant infrastructure or applica0on upgrade or modifica0on.
11.4 Use intrusion-‐detec0on systems, and/or intrusion-‐preven0on systems to monitor all traffic at the perimeter of the CDE as well as at cri0cal points inside of the CDE, and alert personnel to suspected compromises.
11.5 Deploy file-‐integrity monitoring tools to alert personnel to unauthorized modifica0on of cri0cal system files, configura0on files, or content files; and configure the so_ware to perform cri0cal file comparisons at least weekly.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Requirement 12 Information Security Policy for Personnel
Achieving PCI Compliance
38
Descrip0on Maintain a policy that addresses informa0on security for all personnel.
Goal Maintain an informa0on security policy.
Requirements 12.1 Establish, publish, maintain, and disseminate a security policy. 12.2 Develop daily opera0onal security procedures. 12.3 Develop usage policies for cri0cal technologies (for example, remote access, wireless) and
define proper use of these technologies. 12.4 Ensure that the security policy and procedures clearly define informa0on security
responsibili0es for all personnel. 12.5 Assign to an individual or team defined informa0on security management responsibili0es: 12.6 Implement a formal security awareness program to make all personnel aware of the
importance of cardholder data security. 12.7 Screen poten0al personnel prior to hire to minimize the risk of aaacks from internal sources. 12.8 If cardholder data is shared with service providers, maintain and implement policies and
procedures to manage service providers. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system
breach.
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Summary of Recommendations Achieving PCI Compliance
39
§ Step 1: Segment the network into individual “security zones”
§ Step 2: Configure the firewall
§ Step 3: Lock down the router entry points
§ Step 4: Change the default passwords
§ Step 5: Minimize resources within CDE network segment
§ Step 6: Create secure WAN connec0vity
§ Step 7: Keep device updated with the latest firmware using WPC
§ Step 8: Lock down the configura0on with WiPipe Central
§ Step 9: Configure communica0on with an external SysLog server
§ Step 10: Configure communica0on with an external Time server
§ Step 11: Monitor PCI Compliance with WiPipe Central
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ CradlePoint Enablers for PCI Compliance – CradlePoint routers provide several features to enable compliance with the PCI-‐DSS 2.0 requirements
– PCI Compliance requires routers to be properly configured, monitored & maintained. – WiPipe Central’s PCI Compliance Monitoring applica0on enables customers to demonstrate compliance in real-‐0me, not just for the quarterly or annual audits.
§ CradlePoint can Help – The “CradlePoint Enablers for a PCI Complaint System” applica0on note provides details regarding CradlePoint features and capabili0es that have been used by other customers to help achieve PCI Compliance for their end-‐to-‐end systems.
– CradlePoint professional services can guide customers through the installa0on, configura0on and monitoring process
§ Proven Success – CradlePoint devices are u0lized in several large-‐scale, PCI-‐compliant deployments.
Achieving PCI Compliance Achieving PCI Compliance
40
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
Questions?
[email protected] www.CradlePoint.com
41
www.cradlepoint.com www.cradlepoint.com/WiPipe
www.cradlepoint.com/ 4g-‐3g-‐network-‐solu0ons/
case-‐studies
Ken Hosac VP Business Development
Rudy Cedillo Sr. Enterprise Support Engineer
CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.
§ PCI Compliance Monitoring applica0on for WiPipe Central, to manage configura0on, firmware updates and monitor usage.
§ Network Segmenta0on (Ethernet, SSID and VLAN)
§ Ethernet ports (4) that can be individually assigned to specific segments
§ WiFi SSIDs (4) that can be individually secured and assigned to specific segments
§ Virtual LAN support and tagging (VLAN)
§ Stateful Packet Inspec0on (SPI) § Network Address Transla0on (NAT) § Applica0on Level Gateways (ALG) § Inbound filtering of IP addresses
§ De-‐Militarized Zone (DMZ) § Virtual Server § Ability to disable WAN services (ping, WNMP, web-‐based mgmt, etc)
§ MAC filtering § Session filtering (non-‐UDP/TCP/ICMP)
§ Layer 2 Tunneling Protocol (L2TP) § VPN Client with support for up to 20 tunnels (product-‐specific)
§ IPSec § GRE § WiFi security (WPA/WPA2 Personal/Enterprise, AES/TKIP)
§ RADIUS user authen0ca0on on WiFi § SysLog support § Aler0ng
Key Solution Features for PCI Compliance Achieving PCI Compliance
42