SIMPLIFY PCI COMPLIANCE WITH NETWORK SEGMENTATION

Transcription

1 SIMPLIFY PCI COMPLIANCE WITH NETWORK SEGMENTATION SPOTLIGHTS Industry All Use Case Simplify PCI Compliance with Network Segmentation PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes, including Visa, MasterCard, American Express, Discover and JCB. Business Benefits Lower risk exposure to the cardholder data environment (CDE) to malware and threats that propagate through network Decreased risk due to improved compliance with PCI DSS o Brand Damage o Litigation o Fines from credit card institutions and banks Operational Benefits Reporting simplifies PCI audit process by demonstrating compliance Improved visibility and control over network traffic into/out of CDE zone Technical Benefits Simplified security architecture Multiple integration options facilitate ease of deployment into any environment Business Drivers Organizations that allow their customers to pay with credit cards must meet or exceed PCI DSS requirements. If the requirements are deemed unmet during an audit or postbreach, credit card institutions may levy fines as a penalty for noncompliance and propose a timeline of increasing fines. Cardholder breaches can result in the following types of losses for a merchant: $50-$90 fine per cardholder data compromised. Suspension of credit card acceptance by a merchant s credit card account provider. Loss of reputation with customers, suppliers and partners. Possible civil litigation from breached customers. Loss of customer trust, which affects future sales. Business Problem Establishing, maintaining and demonstrating compliance with the PCI DSS is a necessity for all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). 1 With approximately three hundred individual requirements to address, organizations subject to the standard have their work cut out for them. With global losses from payment card fraud exceeding $21.8 billion in 2015, the need for the PCI DSS has never been more apparent. 2 According to a poll in The Wall Street Journal, 45 percent of Americans say they or a household member had been notified by a card issuer, financial institution or retailer that their credit card information had possibly been stolen as part of a data breach. 3 Offsetting the value of the PCI security standards, however, are a handful of related challenges. These include the substantial amount of effort and investment required to achieve compliance in the first place, along with the unfortunate reality that being compliant does not necessarily translate into an organization being adequately defended against advanced cyberattacks. Substantial Effort Required For all system components included in or connected to the Cardholder Data Environment, organizations must comply with more than three hundred requirements. It is in every organization s best interest, therefore, to take advantage of network segmentation provisions stated in the PCI DSS to effectively isolate their CDE and thereby decrease the amount of infrastructure that is considered in scope. Doing so not only decreases the cost and complexity of PCI compliance in several predictable ways but also has the potential to deliver additional operational and security benefits. For example, when armed with an appropriate solution, organizations can use network segmentation to: Reduce both the number of system components that must be brought into compliance in the first place and any derivative impact doing so might have (such as the need to re-architect portions of the network or redesign certain applications and systems) Nilson Report, October Source: Poll Shows Broad Impact of Cyberattacks, Wall Street Journal December 2014 Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 1

2 Reduce the number of system components that must be maintained in compliance, both on a regular basis and whenever the PCI requirements are updated. Reduce the number of system components and processes that must be periodically audited to demonstrate compliance. Reduce and simplify management of the policies, access control and threat prevention rules that apply to the CDE. Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations. Greatly improve the organization s ability to contain and limit the spread of threats. Traditional Approaches A flat network casts a wide scope of compliance. Organizations that do not to isolate their PCI devices, such as point-of-sale devices, credit card-processing workstations and servers, typically face more challenges during their periodic PCI assessments compared to those that segment PCI devices. Any network segment that processes or transmits unencrypted credit card information must meet all PCI DSS requirements. In a flat, unsegmented network, the entire network is in scope for the PCI DSS. VLANS were designed for traffic management, not security. Your Qualified Security Assessor (QSA) will likely agree that VLANs and ACLs do not provide the necessary security controls to meet PCI requirements and are extremely difficult to manage at enterprise scale. VLANs were designed for traffic management and, alone, are not capable of enforcing the control of privileged information. Alternative security options, like legacy port-based firewalls, also fail in this regard because they are indiscriminate about the traffic that s allowed through and do not safely enable the actions of the users for a segment. For example, there is no way to determine which applications are being used, which data is being accessed, or if specific users are allowed to be in a particular segment in the first place. It is not sufficient to merely meet PCI requirements. By its own admission, the PCI DSS provides a baseline of technical and operational requirements for protecting cardholder data. Not only do the specified countermeasures represent a minimum standard of due care, but also as a result of the now three-year period between revisions they often lag behind significant changes to the technology and threat landscapes. One self-acknowledged example of this situation is provided by the requirement to deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) in PCI DSS section 5.1. In this case, the DSS explicitly mentions the consideration of additional anti-malware solutions as a supplement to the anti-virus software presumably in recognition of the poor track record such software has of stopping modern, polymorphic malware and zero-day exploits. A second example comes from the requirement to implement stateful inspection technology as part of the solution to prohibit direct public access between the internet and any system component in the cardholder data environment in PCI DSS section Commentary from Verizon on this requirement says it all: The DSS still specifies stateful-inspection firewalls, first launched in As the threats to the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded with thousands of out-of-date rules. To address this, vendors are now offering next generation firewalls that can validate the traffic at layers 2 to 7, potentially allowing far greater levels of granularity in the rules. 4 Specific examples aside, the key point to realize here is that it s typically necessary if not imperative for security and compliance teams to go above and beyond the DSS requirements in order to establish a security architecture that more effectively addresses modern/emerging threats and more closely aligns with their organization s tolerance for risk. THREAT INTELLIGENCE CLOUD Palo Alto Networks Approach Description: Unlike traditional solutions, Palo Alto Networks Next-Generation Security Platform natively classifies all traffic, regardless of port, protocol, or encryption. This complete visibility into network activity allows customers to substantially reduce their attack surface, block all known threats with an integral threat prevention engine, and quickly discover and protect against unknown threats using the WildFire cloud-based threat analysis service. Next-generation endpoint security capable of stopping unknown threats and automated coordination among the natively integrated solution components complete the picture. The net result is a truly innovative platform that delivers maximum protection for an organization s entire computing environment while greatly reducing the need for costly human intervention and remediation. NEXT-GENERATION FIREWALL NATIVELY INTEGRATED NET WORK AUTOMATED CLOUD ENDPOINT EXTENSIBLE ADVANCED ENDPOINT PROTECTION Figure 1: Palo Alto Networks Next-Generation Security Platform 4. Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 2

3 Robust Network Segmentation The Palo Alto Networks security platform uniquely ensures isolation of an organization s cardholder data environment with a robust set of natively integrated security capabilities, including: Control of all traffic at the application level (Layer 7 of the OSI Model). At the heart of our platform, innovative App-ID technology accurately identifies and classifies all traffic by its corresponding application, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. In highly sensitive or specialized zones of the network, like the CDE, this provides the best possible control by allowing security administrators to deny all traffic except the few applications that are explicitly legitimate. Least privileges access control across the network. Along with App-ID, User-ID and Content-ID enable organizations to tightly control access to the CDE based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, the actual identity of individual users and groups, and the specific elements of data being accessed (e.g., credit card or social security numbers). The result is a definitive implementation of least-privileged access control where administrators can create straightforward security rules to allow only the absolute minimum, legitimate traffic in the zone while automatically denying everything else. Advanced threat protection. A combination of antivirus/malware, intrusion prevention, and advanced threat prevention technologies (Content-ID and WildFire) filter all allowed traffic for both known and unknown threats. Flexible data filtering. Administrators can allow necessary applications yet still block unwanted file transfer functionality, block unwanted file types, and control the transfer of sensitive data such as credit card numbers or custom data patterns in application content or attachments. End User Workstations Cardholder Infrastructure Development WAN and Internet Cardholder Non-Segmented Network Using ACLs All servers and associated traffic may fall within the scope of PCI audit. Finance Users PCI Zone Palo Alto Networks Infrastructure Development Segmented Network With Palo Alto Networks Isolates Cardholder Data Access to PCI zone is limited to finance users based on User-ID (i.e., Active Directory security groups) and App-ID (i.e., limit internal and internet applications). Scope of PCI audit is reduced to cardholder segment and finance users. Figure 2: Comparison of flat versus segmented network Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 3

4 Next-Generation Security Platform Helps Meet and Exceed Multiple Requirements Reducing the scope of compliance with effective network segmentation is only one way Palo Alto Networks supports organizations in their efforts to achieve PCI compliance. It also helps by addressing many of the individual requirements specified in the DSS, as detailed in Appendix 1. Business Benefits of Exceeding PCI Compliance Using the Next-Generation Security Platform Several examples have already been provided where the Palo Alto Networks platform goes above and beyond PCI DSS requirements to deliver the greater levels of protection today s organizations need, including: Reduced scope of compliance by isolating PCI devices. The next-generation firewall controls the flow of information within the CDE zone based on the principle of least privilege to block/deny all users, applications and content except that which is absolutely necessary. Reduced exposure to attack of networked systems from known/unknown attacks, malware and vulnerabilities. The Next- Generation Firewall, Threat Intelligence Cloud and Advanced Endpoint Protection are natively integrated to ensure that threats are quickly identified at all threat vectors into your network and stopped. Empower your security team with greater visibility. Native integration within the platform empowers your security team to quickly identify the important data points that require attention. We Need Better Firewalls One of the criticisms that we made of DSS 3.0 in our 2014 report is that it still refers to stateful-inspection firewalls, a technology that most security professionals consider outdated. Malware and hacker attacks that can bypass stateful-inspection access controls have been common for nearly a decade. While other security standards have moved on, PCI DSS has not. [ ] Their ability to monitor activity at the application level, deal with the explosive growth in the number of devices, and block increasingly sophisticated threats make next-generation firewalls a must-have. Verizon 2015 PCI Compliance Report Did you know? Traps helps you fulfill two PCI requirements: PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs. Traps advanced endpoint protection is an innovative technology that prevents exploits and malware, both known and unknown, and exceeds the original PCI DSS requirement, resulting in a much stronger security and compliance posture. PCI DSS Requirement 6: Develop and maintain secure systems and applications. Palo Alto Networks customers have reported that their PCI QSA approved the use of Traps Exploits Prevention feature as a compensating control for systems that cannot be patched in a timely manner. Another way our approach delivers next-generation protection that exceeds the DSS s baseline requirements is by providing extensive information sharing and coordination among elements of the platform. For example, new protections developed from WildFire s real-time threat intelligence are automatically distributed to our customers systems in as few as five minutes. The net result of natively integrated threat prevention capabilities is a closed-loop architecture that delivers unparalleled threat response without the need for manual and time-consuming interventions by an already overwhelmed security team. Architectural Vision Architecture Considerations: As you plan your PCI segmentation strategy, it is important to understand the types of devices that will be considered in scope versus out of scope for PCI DSS compliance. The following are some examples of device types that may exist in your environment: TYPICALLY IN-SCOPE FOR PCI: Tablet/Mobile POS: Merchants who collect credit card payments via wireless tablets or mobile devices may consider such devices as in scope. TYPICALLY OUT-OF-SCOPE FOR PCI: Barcode Scanner: These devices typically do not process credit card transactions and hence are usually out of scope. POS PC: PCs or registers used as as points of sale may be considered in scope. POS Server: that receive credit card data from POS devices and either transmit or store such data may be considered in scope. Laptop/Office PC: Laptops used in departments that do not process credit card numbers are usually considered out of scope. Other Non-POS Server: that do not process credit card numbers are usually considered out of scope. Phone: If you collect credit card numbers over the phone, phones may be considered in scope. Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 4

5 Reference Architecture The PCI Reference Architecture below outlines recommended zones of isolation for merchants, regardless of the size of the organization. Security zones are logical containers for physical interfaces, VLANs, IP address ranges or a combination thereof. The switch and next-generation firewall icons in the diagram indicate the flexibility of using one, the other, or a combination of both types of devices to enforce isolation all the way to the Ethernet jack, or access point. IN SCOPE FOR PCI OUT OF SCOPE FOR PCI Tablet/Mobile POS POS PC POS Server Phone Access Point Barcode Scanner Laptop Office PC Non-POS Server ZONE: Wireless POS ZONE: POS ZONE: Voice Switch Next-Generation Firewall ZONE: Wireless Data ZONE: Data Router Data Center/WAN Figure 3: PCI Reference Architecture Implementation Overview Products required: Next-Generation Firewall Threat Prevention Subscription WildFire Subscription How you will do it: Determine the deployment method(s) you will use to insert next-generation firewalls into your environment: Palo Alto Networks next-generation firewalls offer Layer 1 (Virtual Wire), Layer 2, and Layer 3 deployment modes on a single hardware appliance, along with networking features, like static and dynamic routing capabilities, 802.1Q VLANS, trunked ports, and traffic shaping. These capabilities allow network engineers to insert the Next-Generation Security Platform into any existing architectural design without requiring any configuration changes to surrounding or adjacent network devices. The platform can sit in-line with existing security appliances, either in front or behind. Additionally, it can be deployed to connect two or more networks together, bridge Layer 2 and Layer 3 networks, or provide full routing and connectivity of all networks and sub-networks across the organization. Palo Alto Networks also offers the VM-Series next-generation firewalls in virtual form factor, providing network segmentation within a virtualized server infrastructure. Multiple management domains (see Figure 1) can be accommodated by taking advantage of the virtual system s capability that enables separate, isolated Zero Trust virtual instances on a physical appliance. Virtual systems allow you to segment the administration of all policies (security, NAT, QoS, etc.) as well as all reporting and visibility functions. Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 5

6 WAN and Internet Finance Users Cardholder Infrastructure PCI Zone Palo Alto Networks Development Figure 4: Segmented network with Palo Alto Networks isolates cardholder data Next, define your PCI zones. Security zones are logical containers for physical interfaces, VLANs, IP address or a combination thereof. Security zones are utilized in next-generation firewall security policies to clearly identify one or more source and destination interfaces on the platform. Each interface on the firewall must be assigned to a security zone before it can process traffic. This allows organizations to create security zones to represent different segments being connected to, and controlled by, the firewall. For example, security administrators can allocate all cardholder or patient data repositories in one network segment identified by a security zone (like the Cardholder Data Environment or CDE zone ). Then, the administrator can craft security policies that only permit certain users, groups of users, specific applications or other security zones to access the CDE zone thereby preventing unauthorized internal or external access to the data stored in that segment. Figure 5: Options available when you select Create a Zone Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 6

7 Figure 6 shows the options available when you select Create a Zone. You need to associate the zone with at least one interface, and select the Zone Protection Profile and Log Setting options. If you want to restrict or block access to the zone by IP ranges, you can complete the ACL options on the right side. Once you ve created your PCI zone, you need to define rules to allow/block access to it. Figure 3 shows an example of how easy it is for administrators to define straightforward rules to control access to zones. The first rule, titled PCI, allows users in the Users zone who are in the Finance Active Directory security group to access the Oracle application in the CC_ zone. The second rule blocks any other users from accessing the CC_ zone and logs them. Figure 6: Two example rules to isolate and protect cardholder data in CC_ zone Figure 7: Step-by-step screenshots showing creation of two rules to isolate and protect cardholder data in a PCI zone Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 7

8 Actual Customer Deployment: Deploying NGFW in Layer 3 Mode to Reduce Scope of PCI Compliance Internal Zone Non-POS Devices PA-7050 in L3 mode VL90 VL90 PCI Zone POS Devices VL170 VL170 Distribution Switches Core Switches Edge PA-5050 in L3 mode Public Routers Internet PA-7050 in L3 mode ZONE VLAN(s) Description Internal Zone VL90 Internal Zone includes VL90 which contains all non-pos PCI Zone VL170 PCI Zone contains VL170 which contains all POS devices The above diagram shows how an actual customer, a hospital, deployed next-generation firewalls to isolate point-of-sale devices from the rest of their network and effectively reduce the scope of compliance to include only the devices within the PCI zone. The customer architecture incorporates two redundant PA-7050s in Layer 3 mode hanging off a Cisco distribution switch. A PCI zone is configured in the NGFW to include VL170, which contains all the POS devices. The customer used several other zones to isolate various devices on their network, but for simplicity, we will only show the internal and PCI zones. The internal zone is configured in the NGFW to include VL90, which is the primary internal network where non-pos devices connect. Traffic between the internal and PCI zones is controlled by a PCI Security Policy defined in PAN-OS. Actual Customer Deployment: Using GlobalProtect, VM-Series NGFW and AWS to Reduce the Scope of PCI Compliance Fueling Stations Customer s clients with self-managed IT GP Location 1 OSP Windows PC GP Amazon Web Services Virtual Private Cloud Customer Data Center On Premise Policies defined in NGFW to allow GP diagnostics to pass but block cardholder data from entering their on-premise data center GlobalProtect Gateway in AWS East Region GP Cardholder Data Blocked Location 2 OSP Windows PC GP Location 3 OSP Windows PC GP GlobalProtect Gateway in AWS West Region GlobalProtect and VM-Series NGFW in AWS Central Gateway Data collection servers within customer data center used to analyze diagnostic info from OSPs The above diagram shows how an actual customer, providing fuel management system monitoring services, deployed GlobalProtect and VM-Series virtualized next-generation firewalls into Amazon Web Services to prevent cardholder data from entering their own network and, hence, removed their network from the scope of PCI. The customer monitors underground tanks and lines at thousands of retail fuel stations across the U.S. Using advanced statistical analysis and system diagnostics, the company ensures the accuracy of all consumption readings and proactively identifies tank systems at risk of leaks, illegal siphoning, or other potentially hazardous situations. The customer installs remote data collection devices on each fuel station s local network. These devices are minimally configured network appliances called on-site processors. The OSPs collect data from every dispenser, tank and line at the station and transmit it back to the customer s data center for analysis and reporting. The customer architecture incorporates virtual GlobalProtect gateways in AWS for geographical optimization (one for the East region, one for the West) and a VM-Series NGFW to block threats and cardholder data from entering their network. By preventing cardholder data from entering their own network, they excluded their data center from the scope of PCI compliance. Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 8

9 Advice and Next Steps No single vendor or solution can provide complete PCI DSS compliance. What merchants require instead is a thorough set of policies, processes and practices including network segmentation supported by an essential set of technological countermeasures to enforce them. Regardless of how you choose to implement Palo Alto Networks Next-Generation Security Platform in your environment, you can be sure that the flexibility of integration options will facilitate a smooth implementation of controls that help you meet and exceed PCI DSS requirements. Now that you understand what s involved as you prepare to deploy Palo Alto Networks next-generation firewalls to enhance your PCI compliance, go ahead and get started: PAN-OS Administrator s Guide Business Benefits Lower risk exposure to the cardholder data environment (CDE) to malware and threats that propagate through network Decreased risk due to improved compliance with PCI DSS o Brand Damage o Litigation o Fines from credit card institutions and banks Operational Benefits Reporting simplifies PCI audit process by demonstrating compliance Improved visibility and control over network traffic into/out of CDE zone Technical Benefits Simplified security architecture Multiple integration options facilitate ease of deployment into any environment Customer References: Palo Alto Networks provides exactly what CRHC was looking for. While the original reason for looking at Palo Alto Networks was PCI compliance which has been achieved the benefits provided far exceed compliance. Partitioning the network and the PCI area specifically was one of the reasons behind the selection of Palo Alto Networks. It enabled the company to manage this aspect autonomously without the need for assistance of specialists, leaving these free to support Europ Assistance during the certification stage. Palo Alto Networks enabled us to achieve PCI compliance and secure the key data of our customers at approximately 10-15% less in costs. Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 9

10 Appendix PCI Security Requirements Supported by Palo Alto Networks Next-Generation Security Platform The Next-Generation Security Platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the following tables. Compliance Capabilities PCI DSS REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data NEXT-GEN FIREWALL WILDFIRE TRAPS Requirement 2: Do not use vendor- supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Protect all systems against malware and regularly update anti virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Identify and authenticate access to system components Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a security policy that addresses information security for all personnel Figure 8: Next-Generation Security Platform PCI DSS compliance capabilities Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 10

11 PCI Security Requirements Supported by the Palo Alto Networks Next-Generation Security Platform The Next-Generation Security Platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the following table. PCI DSS REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data SUPPORTED SUB- REQUIREMENTS 1.2, 1.2.1, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, DESCRIPTION OF CAPABILITIES Palo Alto Networks portfolio of hardware and virtual next-generation firewalls enables definitive least-privileged access control (i.e., deny all applications, users and content except for that which is necessary) for all networks involving cardholder data. Palo Alto Networks supports all sub-requirements pertaining to DMZ implementations intended to prohibit direct public access between the internet and any CDE system. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.3 The intent behind Requirement 2 is to implement sufficient preventive controls to reduce the attack surface. These controls include changing vendor passwords; enabling only necessary services, protocols and daemons; and removing unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and web servers. For a relatively complex cardholder data environment, there are potentially thousands of instances in which unnecessary services, unnecessary functionality, and insecure services could operate. Traps provides an automated preventive control capability to reduce risks associated with threat vectors or attack points. The unique approach employed by Traps ensures that, even if unnecessary services are running, vulnerabilities in those services cannot be exploited. Traps will block the exploit technique and prevent any malicious activities from occurring. Insightful forensics evidence is collected to support incident response processes or further investigative activities. With Traps operating in the CDE, organizations can reduce their risk to a level more in-line with the business risk tolerance position. Requirement 3: Protect stored cardholder data n/a This requirement focuses on reducing the amount of cardholder data stored and ensuring that stored data is appropriately masked and encrypted. Encryption alone does not protect against malware that scrapes the unencrypted cardholder data from memory. Traps prevents exploits and malware from launching malicious code that would try to compromise encryptions keys or cardholder data. If key management processes do break down, Traps provides an effective compensating control for PCI DSS Section 3.6. Requirement 4: Encrypt transmission of cardholder data across open, public networks 4.1, 4.2 Standards-based IPsec VPNs are supported for secure site-to-site connectivity, while GlobalProtect delivers secure remote access for individual users via either an TSL or IPsec-protected connection. With its unique application, user and content identification technologies, the Palo Alto Networks platform is also able to thoroughly and reliably control the use of potentially risky end-user messaging technologies (e.g., , instant messaging, and chat) down to the level of individual functions (e.g., allow messages but disallow attachments and file transfers). Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs n/a The Palo Alto Networks security platform includes advanced endpoint protection that provides a much-needed complement to legacy antivirus solutions that are largely incapable of providing protection against unknown malware, zero-day exploits, and advanced persistent threats (APTs). Requirement 6: Develop and maintain secure systems and applications 6.6 As a fully application-aware solution, Palo Alto Networks Next-Generation Security Platform is capable of preventing a wide range of application-layer attacks that have, for example, taken advantage of improperly coded or configured web apps. Palo Alto Networks Simplify PCI Compliance With Network Segmentation Use Case 11

12 PCI DSS REQUIREMENT SUPPORTED SUB- REQUIREMENTS DESCRIPTION OF CAPABILITIES Requirement 7: Restrict access to cardholder data by business need to know 7.2, 7.2.1, Granular, policy-based control over applications, users and content, regardless of the user s device or location, enables organizations to implement definitive, least-privileged access control that truly limits access to cardholder data based on business need to know, with deny all for everything else. Tight integration with Active Directory and other identity stores, plus support for role-based access control, enables enforcement of privileges assigned to individuals based on job classification and function. Requirement 8: Identify and authenticate access to system components 8.1, 8.1.1, 8.1.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8, 8.2, 8.2.1, 8.2.3,8.2.4, 8.2.5, 8.3, 8.5, 8.6 Native capabilities and tight integration with Active Directory and other identity stores support a wide range of authentication policies, including: use of unique user IDs, immediate revocation for terminated users, culling of inactive accounts, lockout after a specified number of failed login attempts, lockout duration, idle session timeouts, and password reset and minimum strength requirements. Support is also provided for several forms of multi-factor authentication, including tokens and smart cards. Requirement 9: Restrict physical access to cardholder data n/a n/a Requirement 10: Track and monitor all access to network resources and cardholder data 10.1, 10.2, , , ,10.2.4, , , , 10.3, , , , , , , 10.4, 10.6, , , , Palo Alto Networks Next-Generation Security Platform maintains extensive logs/audit trails for WildFire, configurations, system changes, alarms, traffic flows, threats, URL filtering, data filtering, and Host Information Profile matches. The solution also supports both daily and periodic review of log data with both native, customizable reporting capabilities and the ability to write log data to a syslog server for archival and analysis by third-party solutions (including popular security event and information management systems, such as Splunk ). Requirement 11: Regularly test security systems and processes 11.4 Palo Alto Networks Next-Generation Security Platform fully inspects all allowed communication sessions for threat identification and prevention. A single, unified threat engine delivers intrusion prevention, stream-based antivirus prevention, and blocking of unapproved file types and data. The cloud-based WildFire engine extends these capabilities further by identifying and working in conjunction with on-premise components to prevent unknown and targeted malware and exploits. The net result is comprehensive protection from all types of threat in a single pass of traffic. Requirement 12: Maintain a security policy that addresses information security for all personnel n/a n/a 4401 Great America Parkway Santa Clara, CA Main: Sales: Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. pci-compliance-with-network-segmentation-uc