PCI Security Best Practices

1
PCI Security Best Practices
2
PCI Defined
3
The PCI Data Security Standard

• Published January 2005, ver 1.1 released Sept 7,
  2006
• Impacts ALL who
• Process
• Transmit
• Store cardholder data
• Developed by MasterCard and Visa, endorsed by
  other brands
• Global reach (AIS regulation outside of US)
• Account Information Security

Payment Card Industry Data Security
Standard January 2005
4
PCI Industry Updates

• Level 1 Merchants Deadline is Sept 30, 2007
  (GLOBAL)
• Level 2 Merchants Deadline is Dec 30, 2007 (US)
• Impact of non-compliance 25,000 - 100,000 per
  month fine and reduced 1 level in Tier service
  gtincreased clearinghouse fees
• Merchants achieving PCI compliance by Sept 30,
  2008 AND showed committed progress by Sept 30,
  2007 will be eligible for 3 months repayment of
  fines and service increases
• Acquiring Banks will be fined 25k for EVERY PCI
  non-compliant client
• Universities are publicized for security breach
  incidents including stolen credit card
  information (http//www.attrition.org/dataloss)
• US States are now passing/proposing credit card
  security laws Minnesota, California,
  Connecticut, Illinois

5
PCI Compliance Validation
Level Population PCI DSS Compliance Validated Initial Validation Submitted/ Remediating Initial Validation in Progress Pending Commitment
1 327 44 54 2 0
2 729 38 44 18 0
3 2494 54 20 24 2
Level 1 merchants required to validate by
9/30/07 Level 2 merchants required to validate by
12/30/07 98 Level 1 and 2 merchants confirm
they do not store prohibited data.
Source Visa website http//usa.visa.com/download/
merchants/cisp_pcidss_compliancestats.pdf?itc/me
rchants/risk_management/cisp_merchants.htmlMercha
nt20PCI20DSS20Compliance20Update
6
Categories of Merchants
Category Criteria Requirement
Level 1 Merchants 6,000,000 Visa/MC/AMEX transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise Annual onsite PCI Data Security Assessment Quarterly network scan
Level 2 Merchants 1 million 6 million transactions per year. Quarterly networks scan Annual self-assessment
Level 3 Merchants 20,00 1 million e-commerce transactions per year Quarterly network scan Annual self-assessment
Level 4 Merchants lt 20,000 VISA e-commerce transactions per year Quarterly network scan Annual self-assessment
7
How To Apply Security Best Practices to PCI
8
PCI Scope May Include More Network Areas Than You
Think
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
Book Stores Box Office Satellite campus Any
remote site that takes credit cards on your
network
On-line payments of any kind that go across your
network (classes, tickets, etc)
Who has access to cardholder information on the
LAN? This is part of PCI
Do you store card holder data in your data
center(s)?
9
Three Architecture Footprints
Small
Medium
Large
10
PCI Solution Design GuidanceExample from the
Solution Design Guide
PCI Requirement 1.3.5 Cisco specific
recommendations Illustrations to provide
clarity Sample configuration
11
The PCI Data Security Standard

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
12
PCI Requirement 1

• Install and maintain a firewall configuration to
  protect data
• Configuration standards, documentation
• Segment card holder data from all other data
• FW to public connections (Inbound Outbound)
• Wireless
• Personal Firewall

13
Requirement 1 Install and maintain a firewall
configuration to protect data
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
14
PCI Requirement 2

• Do not use vendor-supplied defaults for system
  passwords and other security parameters
• Change vendor supplied defaults
• Wireless change wireless vendor defaults,
  disable SSID broadcasts, use WPA/WPA2
• Configuration standards for all system components
• Implement one primary function per server
• Disable all unnecessary and insecure services and
  protocols

15
Requirement 2 Do not use vendor-supplied
defaults for system settings
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
16
PCI Requirement 3

• Protect Stored Data
• Keep cardholder data storage to a minimum
• Do not store the full contents of any track from
  the magnetic stripe (also called full track,
  track, track1, track 2 and magnetic stripe data),
  card-validation code or value, PIN
• Mask PAN when displayed, and render it unreadable
  when stored (hashed indexes, truncation, index
  tokens and pads, strong cryptography), disk
  encryption
• Document and implement key management processes

17
Requirement 3 Protect Stored Data
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
POS Server
CSM
POS Cash Register
Cisco Security Agent
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card Storage Disk Encryption
Store Worker PC
ASA
CSA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
18
PCI Requirement 4

• Encrypt transmission of cardholder data across
  open, public networks
• Use SSL/TLS or IPSec, WPA for wireless
• If using WEP
• Use with a minimum 104-bit encryption key and 24
  bit-initialization value
• Use ONLY in conjunction with WPA/WPA2, VPN or
  SSL/TLS
• Rotate shared WEP keys quarterly (or
  automatically)
• Restrict access based on MAC address
• Never send unencrypted PANs by e-mail

19
Requirement 4 Encrypt transmission of cardholder
data across public networks
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
20
PCI Requirement 5

• Use and regularly update anti-virus software or
  programs
• Deploy anti-virus software on all systems
  commonly affected by viruses
• AV programs capable of detecting, removing, and
  protecting against all forms of malicious
  software, including spyware and adware
• Ensure that all AV mechanisms are current,
  actively running, and capable of generating audit
  logs

21
Requirement 5 Use and Regularly update
anti-virus software
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
CSA
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
22
PCI Requirement 6

• Develop and maintain secure systems and
  applications
• Systems and software have latest vendor-supplied
  security patches installed. Install relevant
  security patches within one month of release
• Establish process to identify new security
  vulnerabilities (subscribe to alert services,
  etc)
• Develop SW applications based on industry best
  practices and incorporate security throughout SW
  development lifecycle
• Develop web application based on secure coding
  guidelines such as the Open Web Application
  Security Project
• Web-facing applications are protected against
  known attacks by installing an application layer
  firewall in front of web-facing applications, or
  review application code by a specialized
  application security organizations

23
Requirement 6 Develop and maintain secure
systems and applications
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
24
PCI Requirement 7

• Restrict access to cardholder data by business
  need-to-know
• Limit access to computing resources and
  cardholder information only to those individuals
  whose job requires such access
• Establish a mechanism for systems with multiple
  users that restricts access based on a users
  need to know and is set to deny all unless
  specifically allowed.

25
Requirement 7 Restrict access to data by
business need-to-know
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
26
PCI Requirement 8

• Assign a unique ID to each person with computer
  access
• Identify all users with a unique user name before
  allowing access to system components or
  cardholder data
• In addition, employ one method of authentication
  (password, token devices SecureID, certificates
  or public key, biometrics)
• Implement 2-factor authentication
• Encrypt all passwords during transmission and
  storage

27
Requirement 8 Assign a unique ID to each person
with computer access
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
28
PCI Requirement 9

• Restrict physical access to cardholder data
• Facility entry controls and monitor physical
  access to systems that store, process or transmit
  cardholer data
• Cameras to monitor sensitive areas
• Restrict physical access to network jacks,
  wireless access points, gateways, and handheld
  devices
• Distinguish between employees and visitors
• Visitor log in, physical token, authorization
  before entering area
• Physically secure card holder data media
• Destroy media when it is no longer needed

29
Requirement 9 Restrict Physical Access
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
30
PCI Requirement 10

• Track and monitor all access to network resources
  and cardholder data
• Implement automated audit trails
• Record audit trail entries
• Secure audit trails so they cannot be altered
• Review logs for all system components at least
  daily
• Destroy media when it is no longer needed
• Retain audit trail history for at least one year,
  with a minimum of three months online availability

31
Requirement 10 Track and Monitor all access to
network and cardholder data
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
32
PCI Requirement 11

• Regularly test security systems and processes
• Use a wireless analyzer at least quarterly to
  identify all wireless devices in use
• Run internal and external network vulnerability
  scans at least quarterly and after any
  significant change in the network
• Perform penetration testing at least once a year
  and after any significant upgrade or modification
• Use NIDS/IPS, HIDS/HIPS
• Deploy file integrity monitoring software to
  perform critical file comparisons at least weekly

33
Requirement 11 Regularly test security systems
and processes
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
34
PCI Requirement 12

• Maintain a policy that addresses information
  security for employees and contractors
• Establish, publish, maintain, and disseminate a
  security policy
• Develop usage policies for critical
  employee-facing technologies
• Implement a security awareness program
• Implement an incident response plan
• If cardholder data is shared with service
  providers, the SP must adhere to the PCI DSS
  requirements

35
Requirement 12 Maintain a policy that addresses
information security
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
36
Cisco Security Best Practices for PCI
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE

Cisco Security Agent (CSA)

ACS
Cisco Security Management
CSA

POS Terminal
NAC
POS Server
CS-MARS

ASA 5500

7300 router
WAP 1200

ASA
Internet

• switch

6500 switch
6500/7600 FWSM

Integrated Services Router (ISR)
CSA
ASA
WAP

Credit card storage
Store Worker PC

CSA
CSA

Wireless device
E-commerce
DATA CENTER
Requirement 1
Requirement 4
Requirement 7
Requirement 10
Requirement 2
Requirement 5
Requirement 8
Requirement 11
Requirement 3
Requirement 6
Requirement 9
Requirement 12
37
PCI -gt HIPAA with the same Security Best
Practices.
Category 5
Category 1
Data Center
Category 2
Category 6
ePHI Storage Server
Category 3
Category 7
CSA
Category 4
Category 8
Clinic
6500
CSA
7300
3750
ISR
CS-MARS
CSM
ASA
ASA
CSA
CSA
CSD
NCM/CAS
ACS
NAC
ISR
Internet Edge/DMZ
CSA
Campus
Network Management Center
Remote Clinician