PCI Security Best Practices - PowerPoint PPT Presentation

About This Presentation
Title:

PCI Security Best Practices

Description:

PCI Security Best Practices PCI Requirement 12 Maintain a policy that addresses information security for employees and contractors Establish, publish, maintain, and ... – PowerPoint PPT presentation

Number of Views:163
Avg rating:3.0/5.0
Slides: 22
Provided by: bestitdoc9
Category:

less

Transcript and Presenter's Notes

Title: PCI Security Best Practices


1
PCI Security Best Practices
2
PCI Defined
3
The PCI Data Security Standard
  • Published January 2005, ver 1.1 released Sept 7,
    2006
  • Impacts ALL who
  • Process
  • Transmit
  • Store cardholder data
  • Developed by MasterCard and Visa, endorsed by
    other brands
  • Global reach (AIS regulation outside of US)
  • Account Information Security

Payment Card Industry Data Security
Standard January 2005
4
PCI Industry Updates
  • Level 1 Merchants Deadline is Sept 30, 2007
    (GLOBAL)
  • Level 2 Merchants Deadline is Dec 30, 2007 (US)
  • Impact of non-compliance 25,000 - 100,000 per
    month fine and reduced 1 level in Tier service
    gtincreased clearinghouse fees
  • Merchants achieving PCI compliance by Sept 30,
    2008 AND showed committed progress by Sept 30,
    2007 will be eligible for 3 months repayment of
    fines and service increases
  • Acquiring Banks will be fined 25k for EVERY PCI
    non-compliant client
  • Universities are publicized for security breach
    incidents including stolen credit card
    information (http//www.attrition.org/dataloss)
  • US States are now passing/proposing credit card
    security laws Minnesota, California,
    Connecticut, Illinois

5
PCI Compliance Validation
Level Population PCI DSS Compliance Validated Initial Validation Submitted/ Remediating Initial Validation in Progress Pending Commitment
1 327 44 54 2 0
2 729 38 44 18 0
3 2494 54 20 24 2
Level 1 merchants required to validate by
9/30/07 Level 2 merchants required to validate by
12/30/07 98 Level 1 and 2 merchants confirm
they do not store prohibited data.
Source Visa website http//usa.visa.com/download/
merchants/cisp_pcidss_compliancestats.pdf?itc/me
rchants/risk_management/cisp_merchants.htmlMercha
nt20PCI20DSS20Compliance20Update
6
Categories of Merchants
Category Criteria Requirement
Level 1 Merchants 6,000,000 Visa/MC/AMEX transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise Annual onsite PCI Data Security Assessment Quarterly network scan
Level 2 Merchants 1 million 6 million transactions per year. Quarterly networks scan Annual self-assessment
Level 3 Merchants 20,00 1 million e-commerce transactions per year Quarterly network scan Annual self-assessment
Level 4 Merchants lt 20,000 VISA e-commerce transactions per year Quarterly network scan Annual self-assessment
7
How To Apply Security Best Practices to PCI
8
PCI Scope May Include More Network Areas Than You
Think
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
Book Stores Box Office Satellite campus Any
remote site that takes credit cards on your
network
On-line payments of any kind that go across your
network (classes, tickets, etc)
Who has access to cardholder information on the
LAN? This is part of PCI
Do you store card holder data in your data
center(s)?
9
Three Architecture Footprints
Small
Medium
Large
10
PCI Solution Design GuidanceExample from the
Solution Design Guide
PCI Requirement 1.3.5 Cisco specific
recommendations Illustrations to provide
clarity Sample configuration
11
The PCI Data Security Standard

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
12
PCI Requirement 1
  • Install and maintain a firewall configuration to
    protect data
  • Configuration standards, documentation
  • Segment card holder data from all other data
  • FW to public connections (Inbound Outbound)
  • Wireless
  • Personal Firewall

13
Requirement 1 Install and maintain a firewall
configuration to protect data
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
14
PCI Requirement 2
  • Do not use vendor-supplied defaults for system
    passwords and other security parameters
  • Change vendor supplied defaults
  • Wireless change wireless vendor defaults,
    disable SSID broadcasts, use WPA/WPA2
  • Configuration standards for all system components
  • Implement one primary function per server
  • Disable all unnecessary and insecure services and
    protocols

15
Requirement 2 Do not use vendor-supplied
defaults for system settings
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
16
PCI Requirement 3
  • Protect Stored Data
  • Keep cardholder data storage to a minimum
  • Do not store the full contents of any track from
    the magnetic stripe (also called full track,
    track, track1, track 2 and magnetic stripe data),
    card-validation code or value, PIN
  • Mask PAN when displayed, and render it unreadable
    when stored (hashed indexes, truncation, index
    tokens and pads, strong cryptography), disk
    encryption
  • Document and implement key management processes

17
Requirement 3 Protect Stored Data
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
POS Server
CSM
POS Cash Register
Cisco Security Agent
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card Storage Disk Encryption
Store Worker PC
ASA
CSA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
18
PCI Requirement 4
  • Encrypt transmission of cardholder data across
    open, public networks
  • Use SSL/TLS or IPSec, WPA for wireless
  • If using WEP
  • Use with a minimum 104-bit encryption key and 24
    bit-initialization value
  • Use ONLY in conjunction with WPA/WPA2, VPN or
    SSL/TLS
  • Rotate shared WEP keys quarterly (or
    automatically)
  • Restrict access based on MAC address
  • Never send unencrypted PANs by e-mail

19
Requirement 4 Encrypt transmission of cardholder
data across public networks
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
20
PCI Requirement 5
  • Use and regularly update anti-virus software or
    programs
  • Deploy anti-virus software on all systems
    commonly affected by viruses
  • AV programs capable of detecting, removing, and
    protecting against all forms of malicious
    software, including spyware and adware
  • Ensure that all AV mechanisms are current,
    actively running, and capable of generating audit
    logs

21
Requirement 5 Use and Regularly update
anti-virus software
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
CSA
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
22
PCI Requirement 6
  • Develop and maintain secure systems and
    applications
  • Systems and software have latest vendor-supplied
    security patches installed. Install relevant
    security patches within one month of release
  • Establish process to identify new security
    vulnerabilities (subscribe to alert services,
    etc)
  • Develop SW applications based on industry best
    practices and incorporate security throughout SW
    development lifecycle
  • Develop web application based on secure coding
    guidelines such as the Open Web Application
    Security Project
  • Web-facing applications are protected against
    known attacks by installing an application layer
    firewall in front of web-facing applications, or
    review application code by a specialized
    application security organizations

23
Requirement 6 Develop and maintain secure
systems and applications
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
24
PCI Requirement 7
  • Restrict access to cardholder data by business
    need-to-know
  • Limit access to computing resources and
    cardholder information only to those individuals
    whose job requires such access
  • Establish a mechanism for systems with multiple
    users that restricts access based on a users
    need to know and is set to deny all unless
    specifically allowed.

25
Requirement 7 Restrict access to data by
business need-to-know
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
26
PCI Requirement 8
  • Assign a unique ID to each person with computer
    access
  • Identify all users with a unique user name before
    allowing access to system components or
    cardholder data
  • In addition, employ one method of authentication
    (password, token devices SecureID, certificates
    or public key, biometrics)
  • Implement 2-factor authentication
  • Encrypt all passwords during transmission and
    storage

27
Requirement 8 Assign a unique ID to each person
with computer access
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
28
PCI Requirement 9
  • Restrict physical access to cardholder data
  • Facility entry controls and monitor physical
    access to systems that store, process or transmit
    cardholer data
  • Cameras to monitor sensitive areas
  • Restrict physical access to network jacks,
    wireless access points, gateways, and handheld
    devices
  • Distinguish between employees and visitors
  • Visitor log in, physical token, authorization
    before entering area
  • Physically secure card holder data media
  • Destroy media when it is no longer needed

29
Requirement 9 Restrict Physical Access
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
30
PCI Requirement 10
  • Track and monitor all access to network resources
    and cardholder data
  • Implement automated audit trails
  • Record audit trail entries
  • Secure audit trails so they cannot be altered
  • Review logs for all system components at least
    daily
  • Destroy media when it is no longer needed
  • Retain audit trail history for at least one year,
    with a minimum of three months online availability

31
Requirement 10 Track and Monitor all access to
network and cardholder data
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
32
PCI Requirement 11
  • Regularly test security systems and processes
  • Use a wireless analyzer at least quarterly to
    identify all wireless devices in use
  • Run internal and external network vulnerability
    scans at least quarterly and after any
    significant change in the network
  • Perform penetration testing at least once a year
    and after any significant upgrade or modification
  • Use NIDS/IPS, HIDS/HIPS
  • Deploy file integrity monitoring software to
    perform critical file comparisons at least weekly

33
Requirement 11 Regularly test security systems
and processes
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
34
PCI Requirement 12
  • Maintain a policy that addresses information
    security for employees and contractors
  • Establish, publish, maintain, and disseminate a
    security policy
  • Develop usage policies for critical
    employee-facing technologies
  • Implement a security awareness program
  • Implement an incident response plan
  • If cardholder data is shared with service
    providers, the SP must adhere to the PCI DSS
    requirements

35
Requirement 12 Maintain a policy that addresses
information security
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE
ACS
Mobile POS
CSM
POS Cash Register
POS Server
NAC
CSA
NCM/CAS
CS-MARS
7200/7300
ASA
WAP
Internet
Catalyst switch
6500 switch
ISR
6500/7600 FWSM
WAP
CSA
WAP
Credit card storage
Store Worker PC
ASA
CSA
Wireless device
E-commerce
DATA CENTER
CSA
36
Cisco Security Best Practices for PCI
REMOTE LOCATION
NETWORK MGMT CENTER
INTERNET EDGE
MAIN OFFICE

Cisco Security Agent (CSA)

ACS
Cisco Security Management
CSA

POS Terminal
NAC
POS Server
CS-MARS

ASA 5500

7300 router
WAP 1200

ASA
Internet
  • switch

6500 switch
6500/7600 FWSM

Integrated Services Router (ISR)
CSA
ASA
WAP

Credit card storage
Store Worker PC

CSA
CSA

Wireless device
E-commerce
DATA CENTER
Requirement 1
Requirement 4
Requirement 7
Requirement 10
Requirement 2
Requirement 5
Requirement 8
Requirement 11
Requirement 3
Requirement 6
Requirement 9
Requirement 12
37
PCI -gt HIPAA with the same Security Best
Practices.
Category 5
Category 1
Data Center
Category 2
Category 6
ePHI Storage Server
Category 3
Category 7
CSA
Category 4
Category 8
Clinic
6500
CSA
7300
3750
ISR
CS-MARS
CSM
ASA
ASA
CSA
CSA
CSD
NCM/CAS
ACS
NAC
ISR
Internet Edge/DMZ
CSA
Campus
Network Management Center
Remote Clinician
Write a Comment
User Comments (0)
About PowerShow.com