WHITEPAPER. Evolve your network security strategy to protect critical data and ensure PCI compliance. Introduction Network Sentry...

Transcription

1 WHITEPAPER PCI DSS 2.0 s Addressed By Bradford s Network Sentry Evolve your network security strategy to protect critical data and ensure PCI compliance Introduction What is the Payment Card Industry Data Security Standard? Version 1.1 Version 1.2 Version 2.0 High-Level s The Costs of Non-Compliance How Bradford s Network Sentry Helps Organizations Achieve Compliance with PCI DSS Network Sentry... 2 Identifies Who and What Is On The Network Dynamically Provisions and Enforces Security Policies Manages Security Functions From One Interface Leverages Existing Network Infrastructure Network Sentry & PCI DSS s Mapping... 3 Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Summary... 7 Appendix A... 8 Appendix B... 9 References About Bradford Networks... 10

2 Introduction Numerous high-profile security breaches in the retail and payment card processing industries drove the development of the Payment Card Industry Data Security Standard (PCI DSS), a mandatory standard that is having a significant impact upon all retailers and credit card processors. This paper describes the role played by Bradford Networks adaptive security platform, and Network Sentry product family, in helping to meet the requirements of PCI DSS, and to secure networks more effectively. What is the Payment Card Industry Data Security Standard? s that were formerly part of the VISA CISP and Mastercard CDP programs in 2004 were incorporated into a new industry standard known as the Payment Card Industry Data Security Standard (PCI DSS ). All major credit card issuers support this standard, which creates a set of common industry security requirements. Entities that store, process or transmit cardholder data must comply with the PCI DSS and it affects every organization in the credit card payment chain. These include not only the the payment card brands but acquiring banks, retail organizations, and service providers as well. Even healthcare organizations, colleges and universities must comply with PCI DSS if they accept credit cards for any product or service. The impact of non-compliance with PCI DSS has been most glaringly apparent in the retail industry where high-profile security breaches have occurred at several well-known retail companies. Retailers and other organizations that process credit card transactions are wise to consider not only what is required to comply with PCI DSS today, but other best practices and controls to prevent new security threats from breaching their networks in the future. The PCI Security Standards Council responds quickly by updating the PCI standard when security threats emerge and controls change --but vulnerabilities and threats are moving faster. Version 1.1 PCI DSS is a constantly evolving standard. In September of 2006 the PCI Security Standards Council issued Version 1.1, which updated the original PCI Data Security Standard. Version 1.1 added new controls to protect stored cardholder data, strengthen wireless network and application security, and other areas. The concept of compensating controls also was introduced. Version 1.2 Responding to an increase in application vulnerabilities to cross-site scripting, SQL injection and other threats, PCI DSS Version 1.2 was introduced in October, 2008, which introduced the following significant changes: New language regarding all forms of malicious software, versus just anti-virus, was added to requirement 5 New application security controls and test requirements were added to requirement 6 Major expansion of access control requirements were added to requirement 7, which has important implications for NAC technology Version 2.0 Minor updates were introduced in Version 2.0 of PCI DSS in October Although Version 2.0 introduces no new requirements, it includes several clarifications and provides additional guidance on existing requirements. This includes a clarification for 11.1 which references the use of network access control (NAC) technology for detection of unauthorized wireless access points Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. High-Level s PCI DSS Version 2.0 continues the established organization of the standard, with 12 high-level requirements grouped into six objectives. Each high-level requirement consists of numerous additional specific requirements. The table below summarizes the 12 high-level requirements: (s addressed by Bradford Networks security platform are highlighted in bold.) Objectives s Build and Maintain a Secure Network 1: Install and maintain a firewall configuration to protect cardholder data 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3: Protect stored cardholder data 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5: Use and regularly update anti-virus software 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures 7: Restrict access to cardholder data by business need-to-know 8: Assign a unique ID to each person with computer access 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy 10: Track and monitor all access to network resources and cardholder data 11: Regularly test security systems and processes 12: Maintain a policy that addresses information security 1

3 Nine of the requirements can be addressed at least in part by Bradford s Network Sentry. The three remaining requirements relate to administrative or physical controls. The Costs of Non-Compliance PCI DSS compliance is enforced by the individual payment card brands. Each card-brand promotion program requires compliance to protect the brand s image and reputation. For example, VISA s PCI Compliance Acceleration Program provides incentives for financial institutions that demonstrate compliance, and levies significant fines for non-compliance. Acquiring banks may be subject to fines of $5,000-$25,000 per month for each of their Level 1 and Level 2 merchants who are not in compliance. VISA has levied millions of dollars in fines under this program. Fines from the payment card brands may be the least of the problems faced by organizations with security breaches. Non-compliance can damage the company s own brand or image, and cause significant financial liabilities. Public awareness of security breaches from embarrassing publicity often has a negative impact on business and decreases goodwill. Companies from service providers to retailers also risk losing customers if they are not compliant. PCI DSS requires merchants to do business only with service providers that adhere to the standard and these merchants could be forced to switch service providers if their database is compromised. In extreme circumstances, merchants that do not comply with PCI could lose the ability to process cardholder data altogether. How Bradford s Network Sentry Helps Organizations Achieve Compliance with PCI DSS The PCI DSS requires organizations in the payment processing chain to secure both their networks and the systems on which cardholder data is processed or stored. Bradford s Network Sentry secures internal networks by ensuring the health and identity of devices connected to them, and provides network-wide visibility and tracking of every user, every endpoint device, and every network connection. Bradford solutions address network access and control issues that cannot be addressed by legacy firewalls and host-based identity and access management solutions. Bradford s Network Sentry enables PCI DSS compliance by automating enforcement of strict access control policies to ensure that users and devices attaching to networks are authorized to do so, and that they meet specific security policy requirements. Network Sentry provides detailed logging and reporting functionality including PCI-specific reporting templates for full visibility of network activity. Logs and reports can be used in the process of PCI audits to demonstrate compliance. In all, Network Sentry helps to address 9 of the 12 PCI requirements. Network Sentry is an out-of-band security platform that leverages an organization s existing network infrastructure to enforce security policies. Leading analysts characterize out-of-band implementations as the most secure, most scalable, most flexible, and most cost-effective solutions for automating network access control. Network Sentry Bradford s Network Sentry integrates with IT infrastructure and correlates network, security, endpoint device, and user information to provide total visibility and control over every user and device on the network. Based upon Bradford s Adaptive Network Security platform architecture, Network Sentry delivers powerful security solutions capable of addressing a wide range of business challenges. Network Sentry provides complete visibility of all network users and network-attached devices, allowing organizations to secure their critical IT assets and prevent unauthorized network access. Identifies Who and What Is On The Network Bradford s Network Sentry provides visibility of every user and every endpoint device that attempts to access the network, whomever or whatever they may be and wherever and whenever they may attempt to connect. Because it is tightly integrated with the entire network environment, Network Sentry provides complete visibility across the network infrastructure, right down to individual switch ports, wireless access points, and even remote connections such as VPN. An easy-to-use, web-based administrative interface features a highly-customizable dashboard view of vital network information, allowing administrators to drill down with a mouse click for more details. Dynamically Provisions and Enforces Security Policies Network Sentry allows custom security policies to be created and enforced automatically and consistently throughout the network to protect critical data and IT assets. Examples include: Identity-based access policies that provision network access based on user identity (Employee, Guest, Contractor, etc.) Device-based access policies that provision network access based on device type (IP phone, Printer, Handheld, etc.) Endpoint compliance policies that allow or prohibit network access based on the security posture of endpoint devices (Up-to-date OS, Patches, Anti-virus/Anti-spyware, etc.) This is just a sample of security policies that can be managed with Network Sentry. Other types of policies can be created and deployed to meet the specific needs of any organization. 2

4 Manages Security Functions From One Interface Network Sentry empowers IT administrators with extensive management and control functionality. Features built into the existing infrastructure can be leveraged to secure the network. Control features can be accessed via the web-based administrative interface. For example, any user or device on the network can be easily located and identified with a few mouse clicks. Potential threats can be mitigated by isolating suspect users or at-risk devices, or by disabling their access completely. Control of the network is greatly simplified with Network Sentry and its ability to automate administrative tasks. For example, if an unknown device were to connect to a switch on the network, this event could trigger an automated alert to IT staff and the switch port could be automatically disabled or quarantined to protect the network. Leverages Existing Network Infrastructure By integrating with the entire network and leveraging capabilities of the current infrastructure, Network Sentry allows organizations to get the most out of existing IT investments. Network Sentry is also architected to adapt to changing technology environments without requiring forklift upgrades, future-proofing today s investment for years to come. The Evolution of Network Access Control (NAC) Based upon Bradford s Adaptive Network Security architecture, Network Sentry represents the evolution of traditional network access control (NAC) solutions, and can be deployed in a variety of ways to address ever-changing business and technology challenges. Network Sentry has been architected as a modular platform that allows a number of distinct feature sets to be deployed individually or in combination to meet the requirements of different organizations. Its modular architecture allows security solutions to be rolled out in phases, addressing the most critical needs to start with and then phasing in additional capabilities as required. Network Sentry and PCI DSS s Mapping This section identifies the 9 specific PCI DSS requirements that Bradford s Network Sentry addresses. s not addressed by Network Sentry relate to administrative and physical controls and are excluded from the mapping below. Build and Maintain a Secure Network 1.0 Install and maintain a firewall configuration to protect cardholder data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity s trusted network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment. 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. 2.0 Do not use vendor-supplied defaults for system passwords and other security parameters While not a firewall per se, Network Sentry segregates user access to network resources based upon identity and role-based policies. This capability can restrict access to the cardholder data network to only authorized users and devices. While not a firewall per se, Network Sentry can restrict user and device access to the cardholder network using detailed identity profiles and role-based access controls. Network Sentry provides positive authentication and access control for all network users and devices on wired, wireless, and VPN connections. Network Sentry s powerful Endpoint Compliance feature set can enforce this important PCI requirement across all systems, including mobile and employee-owned computers. Systems attempting to access the network without personal firewall software that is both installed and operational can be denied access, quarantined, and forced to remediate the condition before being granted access. Malicious individuals (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined via public information. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system-hardening standards. 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. Network Sentry helps to enforce configuration standards for endpoint devices by validating device security posture, including the use of approved and up-to-date operating systems, anti-virus and anti-spyware software, and other applications and system processes. Devices found to not conform to security policies can be quarantined or automatically remediated. Network Sentry utilizes SSL encryption between management workstations and all Network Sentry Foundation appliances. SSH and/or SNMPv3 communication is supported between Network Sentry and network infrastructure devices. 3

5 Maintain a Vulnerability Management Program 5.0 Use and regularly update anti-virus software or programs Malicious software, commonly referred to as malware including viruses, worms, and Trojans enters the network during many business-approved activities including employees and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect those systems from current and evolving malicious software threats. 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 6.0 Develop and maintain secure systems and applications Network Sentry enforces the presence of AV software on all network-attached systems, and it further ensures that the signature files and the AV executable are current, according to the policy established by the organization. Devices found to not conform to the defined security policy can be quarantined or automatically remediated. Network Sentry greatly enhances the ability to comply with this PCI provision by allowing endpoint security policies to be updated regularly to keep pace with new threats, and to then have policies dynamically enforced across the entire network. Network Sentry ensures that AV software is actively running and is up-to-date with the most current signature files, etc. Network Sentry can also monitor endpoints for a change in status and initiate dynamic policy enforcement. For example, if anti-virus software is disabled by a user, Network Sentry can dynamically quarantine the user s computer and notify the user (and/or administrative staff) of the policy violation. Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches to protect against exploitation and compromise of cardholder data by malicious individuals and malicious software. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques. 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release. Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less-critical devices and systems within three months. Network Sentry with Endpoint Compliance can be used to define and enforce security policies to ensure that endpoint operating systems are up-to-date with the latest patches. Devices found to not conform to the defined security policy can be quarantined and/or remediated. Integration with leading patch management systems allows remediation to be automated, enforcing policy compliance while minimizing potential disruptions to users so they can remain productive Separate development/test, and production environments Network Sentry can be used to enforce role-based access controls using virtual LANs (VLANs) or other mechanisms to segregate development, test, and production environments within an organization. Implement Strong Access Control Measures 7.0 Restrict access to cardholder data by business need to know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. 7.1 Limit access to computing resources and cardholder information only to those individuals whose job requires such access Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities Assignment of privileges is based on individual personnel s job classification and function Implementation of an automated access control system 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. This access control system must include the following: Coverage of all system components Assignment of privileges to individuals based on job classification and function Default deny-all setting Network Sentry uses a variety of authentication methods and rolebased access control to limit access to network resources based upon the individual s role and access privileges. Network Sentry satisfies the requirement for implementation of an automated access control system by dynamically enforcing role-based access control policies throughout the network. Note that audit testing procedures in PCI DSS Version 2.0 specifically address role-based access control: Confirm that privileges are assigned to individuals based on job classification and function (also called role-based access control or RBAC). Network Sentry s unique Shared Access Tracker solution enforces role-based access controls on shared network devices, ensuring that each user s access is limited based upon the individual s role (or job classification) and specified access privileges. Network Sentry uses a variety of authentication methods and access control mechanisms to limit access to specified network resources for each user. 4

6 8.0 Assign a unique ID to each person with computer access Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. However, s 8.1, 8.2 and through are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts) Assign all users a unique ID before allowing them to access system components or cardholder data. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric Network Sentry leverages standards-based technologies such as 802.1x, LDAP, and RADIUS, and integrates with a variety of third-party authentication systems to validate the unique identity of each user prior to allowing access to network resources. User ID can also be combined with other factors - such as user role, device name, MAC address, IP address, network access point, and time - to define and enforce specific access policies. 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.) Note: Two-factor authentication requires that two of the three authentication methods (see 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered twofactor authentication Immediately revoke access for any terminated users While this requirement represents both process and technology issues, revoking access privileges for terminated users can be a difficult undertaking, as users may have accounts and access rights on numerous systems in the network. Network Sentry provides a single management interface from which to revoke a user s access to all network resources in real-time, while logging this action for tracking purposes and compliance reporting Remove/disable inactive user accounts at least every 90 days. Network Sentry can automatically disable accounts after a specific period of inactivity, while also logging these actions for tracking purposes and compliance reporting. Authorized system administrators can also enable or disable user accounts in real-time through a centralized management interface Enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. Restrict user direct access or queries to databases to database administrators. Network Sentry s advanced Guest Manager solution allows authorized administrators to create user accounts for visiting users such as vendors and contractors. These accounts can be highly customized with limited network access privileges, including time restrictions, and account activity is logged for tracking and compliance reporting. The role-based access policies implemented within Network Sentry can authenticate all access to certain network segments, and can limit (based upon policies and roles) which users are even permitted to connect to a LAN segment or VLAN containing a database with cardholder data. 5

7 Regularly Monitor and Test Networks 10.0 Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user Implement automated audit trails for all system components to reconstruct the following events: All individual user accesses to cardholder data Access to all audit trails Invalid logical access attempts Use of identification and authentication mechanisms 10.3 Record at least the following audit trail entries for all system components for each event: User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component, or resource 10.5 Secure audit trails so they cannot be altered Limit viewing of audit trails to those with a job-related need Protect audit trail files from unauthorized modifications Regularly test security systems and processes Network Sentry provides critical audit trails for all internal network access, logging all devices and users connecting to network resources, and further logging any invalid access attempts for wired, wireless, and VPN network connections. A detailed Connection Log provides real-time access to data on all network connections, including current connections and historical logs of previous connections. Network Sentry also provides detailed reporting functionality, including PCI-specific reporting templates, for full visibility of network access activity. Network Sentry restricts and secures access to audit trails, allowing access to only authorized administrative users. Log data can be archived for long term storage, and standards-based data export facilities are supported to allow log data to be exported to external systems for detailed forensic analysis and reporting. Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: It is not required that four passing quarterly scans must be completed for initial PCI DSS compliance if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan. For subsequent years after the initial PCI DSS review, four passing quarterly scans must have occurred Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date. Network Sentry provides advanced network access control (NAC) functionality, including the ability to monitor for and detect unauthorized ( rogue ) wireless access points in real-time. Upon detecting the presence of a rogue wireless access point, Network Sentry can automatically isolate the device, as well as notify authorized personnel of its discovery. This same capability extends to the detection and isolation of any other unauthorized devices that attempt to join the network. Network Sentry does not replace quarterly scans by a Qualified Security Assessor (QSA) certified by the PCI Security Standards Council. However, Network Sentry augments periodic vulnerability scans by providing ongoing monitoring of network connections and the security posture of endpoint devices, while enabling quarantine and/or remediation of policy violations as they arise. While Network Sentry is not itself an IDS/IPS, it integrates with third-party IDS/IPS systems and can significantly enhance their effectiveness. Network Sentry can receive SNMP traps and Syslog messages from these devices and correlate the data received with data the Network Sentry system holds. The combined data can then be used in the process of enforcing security policies dynamically at the edge of the network (i.e., the point at which endpoint devices connect). For example, Network Sentry can be alerted of a specific vulnerability by an IDS/IPS including the source IP address for the vulnerability. Network Sentry can then correlate the source IP address with an associated MAC address, device (host) name, user name, and specific network location (switch port or wireless access point) where the device is connected. This data can be sent to an authorized administrator for further action, or Network Sentry can automatically initiate corrective actions such as isolating the offending device or disabling its network access entirely. 6

8 Maintain an Information Security Policy 12.0 Maintain a policy that addresses information security for employees and contractors A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it. For the purposes of 12, personnel refers to full-time and part-time employees, temporary employees, contractors and consultants who are resident on the entity s site or otherwise have access to the cardholder data environment Establish, publish, maintain, and disseminate a security policy that accomplishes the following: 12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures) Develop usage policies for critical employee-facing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), usage and Internet usage) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following: Authentication for use of the technology A list of all such devices and personnel with access Acceptable network locations for the technologies Activation of remote access technologies for vendors only when needed by vendors, with immediate deactivation after use Administer user accounts, including additions, deletions, and modifications Monitor and control all access to data. Establishing policy is clearly a process issue. However, Network Sentry greatly facilitates effective management and enforcement of policies identified in 12, particularly those that relate to internal and external network access control. For example, Network Sentry can ensure enforcement of security policies for: Remote access technologies, wired and wireless LAN technologies Various endpoint devices (laptops, PDAs, etc.) Network access by employees, contractors, and other authorized users Authentication of all authorized users Location-based and time-based network access Network Sentry also provides a powerful administrative interface for account administration including additions, deletions, and modifications as well as for ongoing monitoring, logging, and reporting of network activity. Summary The PCI Data Security Standard has evolved considerably from version 1.0 to versions 1.1, 1.2, and the most recent 2.0 version. Its requirements cannot be achieved using any single product or technology on the market today, yet a combination of products and technologies can be used very effectively together to satisfy PCI DSS requirements and to keep crucial network systems and data secure. Bradford s Network Sentry provides robust network discovery, identity management, endpoint compliance, and security policy enforcement capabilities that are needed by any organization that processes credit card payments to not only comply with PCI, but to more effectively secure their networks. Key areas of PCI DSS objectives and requirements addressed by Network Sentry include: Maintaining a vulnerability management system, including ensuring the use of up-to-date anti-virus software on end systems Implementing strong access control measures, including restricting network access to authorized users with role-based access privileges Regularly monitoring and tracking all access to network resources, including detection of unauthorized users and rogue devices Maintaining effective information security policies, including dynamic enforcement of policies for accessing network resources With its advanced security and policy management capabilities, in addition to detailed logging and reporting functionality, Network Sentry greatly enhances the ability of payment card industry participants to comply with PCI DSS, addressing nine of the twelve high-level PCI DSS requirements. 7

9 Appendix A Summary of Significant Changes, PCI DSS 1.1 to 1.2 The PCI Data Security Standard version 1.2 introduced a number of major changes, the most significant of which revolved around access control, application security, and wireless networks. s Key Changes in PCI DSS v Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Minor changes - clarification, restructuring some requirements, and changes to requirements language. Added testing procedures for requirements. Minor changes - clarification, restructuring some requirements, and changes to requirements language. Added testing procedures for requirements. 3. Protect stored cardholder data Minor changes - clarification, restructuring some requirements, and changes to requirements language and testing procedures. Added testing procedures for requirements. 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access Major changes - changed requirements in to eliminate WEP as an acceptable encryption protocol over time. Clarification, restructuring some requirements, and changes to requirements language. Added testing procedures for requirements. Major changes - expanded language and scope from anti-virus to all types of malicious software. Clarification, restructuring some requirements, and changes to requirements language and testing procedures. Added testing procedures for requirements. Major changes - significant changes to enable secure application development. Integrates the OWASP top-10 application vulnerabilities as guidance, and requires either a regular web application vulnerability assessment, or the use of a web application firewall (or both). Major changes - version 1.1 had just two vague and high level requirements (7.1 and 7.2) related to the objective. Version 1.2 added a total of eight sub-requirements (7.1.1 through 7.1.4, plus through 7.2.4) which specify implementation of an automated access control system, and that describe the use of role-based access control in achieving the objective. Minor changes - clarification, restructuring some requirements, and changes to requirements language and testing procedures. Added testing procedures for requirements. 9. Restrict physical access to cardholder data Minor changes - clarification, restructuring some requirements, and changes to requirements language and testing procedures. Added testing procedures for requirements. 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Minor changes - clarification, restructuring some requirements, and changes to requirements language and testing procedures. Added testing procedures for requirements. Major changes - added test procedures related to wireless network usage (11.1.a, b, and c) that require using a wireless analyzer, ensuring that a wireless IDS/IPS is generating alerts, and that incident response addresses unauthorized wireless device use. Clarification, restructuring some requirements, and changes to requirements language and testing procedures. Added testing procedures for requirements. Major changes - expanded language in requirements from modems to remote access technologies.changed language from third parties to service providers. Clarification, restructuring some requirements, and changes to requirements language and testing procedures. Added testing procedures for requirements. The changes to 7 are particularly significant from a network security standpoint, as they are really best addressed at the network level with a security platform like Bradford s Network Sentry. The addition of test procedures related to detecting the unauthorized use of wireless access argues strongly for using a system like Network Sentry, which can block unauthorized devices attempting to access the network. 8

10 Appendix B The Payment Card Industry Data Security Standard In 2004, the VISA Cardholder Information Security Program (CISP) and MasterCard Site Data Protection (SDP) Program requirements were incorporated into an industry standard known as the Payment Card Industry (PCI) Data Security Standard (DSS). This standard resulted from collaboration between Visa and MasterCard to create common industry security requirements. As previously mentioned, the standard has evolved from 1.0 to 1.1 (2006), 1.2 (2008), and most recently to 2.0 in October, PCI DSS compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The program applies to all payment channels, including retail, mail/telephone order, and e-commerce. It is important to note that the five major payment card brands (VISA, Mastercard, Diners Club, American Express, and JCB) all require PCI DSS compliance. The details regarding specifics of compliance, including dates and fines for non-compliance are managed by the individual brands themselves. Merchants A merchant is any entity, such as a retail store, that processes credit card transactions. Merchant level definitions include: Merchant Level Description 1 Any merchant - regardless of acceptance channel - processing over 6,000,000 transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant identified by any other payment card brand as Level 1. 2 Any merchant - regardless of acceptance channel - processing 1,000,000 to 6,000,000 transactions per year. 3 Any merchant processing 20,000 to 1,000,000 e-commerce transactions per year. 4 Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants - regardless of acceptance channelprocessing up to 1,000,000 transactions per year. In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants. These validation requirements for VISA are shown below. All merchants are required to be in compliance. Merchant Level Validation Action Validated By 1 Annual On-site PCI Data Security Assessment 2 Annual PCI Self-Assessment Questionnaire 3 Annual PCI Self-Assessment Questionnaire 4 Annual PCI Self-Assessment Questionnaire Service Providers Qualified Data Security Company or Internal Audit if signed by Officer of the company Merchant Merchant Merchant Service providers are organizations that process, store, or transmit cardholder data on behalf of members, merchants, or other service providers. Service provider levels are: Merchant Level Description 1 All VisaNet processors (Member and nonmember) and all payment gateways. VisaNet refers to the systems and services through which Visa delivers authorization, clearing, and settlement services for its members. 2 Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 credit card transactions annually. 3 Any service provider that is not in Level 1 and stores, processes, or transmits less than 1,000,000 credit card transactions annually. In addition to adhering to the PCI DSS, compliance validation is required for all service providers. These validation requirements include: Merchant Level Validation Action Validated By 1 Annual On-site PCI Data Security Assessment 2 Annual On-site PCI Data Security Assessment 3 Annual PCI Self-Assessment Questionnaire Qualified Data Security Company Qualified Data Security Company Service Provider 9

11 references PCI Security Standards Council Releases Version 2.0 Of The PCI Data Security Standard And Payment Application Data Security Standard (Wakefield, Mass., October 28, 2010) PCI DSS (PCI Data Security Standard) Navigating the PCI DSS (v2.0) PCI DSS Summary of Changes Version to PCI DSS 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS Address Toll Free Phone Fax 162 Pembroke Road, Concord, New Hampshire 03301, USA info@bradfordnetworks.com Bradford Networks offers the best network security solutions for evolving IT environments. The company s flexible Network Sentry platform is the first network security offering that can automatically identify and profile all devices and all users on a network, providing complete visibility and control. Unlike vendorspecific network security products, Network Sentry provides a view across all brands of equipment and devices so nothing falls through the cracks. Hundreds of customers and millions of users worldwide rely on Bradford to secure their IP networks. Visit Copyright 2010 Bradford Networks. All rights reserved. Printed in USA. Bradford Networks and the logo are registered trademarks of Bradford Networks in the United States and/or other countries.adaptive Network Security, Network Sentry, Campus Manager and NAC Director are either trademarks or registered trademarks of Bradford Networks or one of its affiliated companies in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners. Bradford Networks reserves the right to change, without notice. BN DISCLAIMER This document provides general information about personal privacy and compliance initiatives in North America. It is intended to be used for resource and reference purposes only and does not constitute legal advice, nor should it be construed as providing any warranties or representations with respect to the products and/or services discussed herein. Readers of this paper are encouraged to speak with their legal counsel to understand how the general issues discussed above apply to their particular circumstances. Bradford Networks disclaims any and all liability for damages, costs, lost profits, fines, fees or financial penalties of any kind suffered by any party acting or relying on the general information contained herein. 10