New PCI DSS standards are designed to help organizations keep credit card information secure, but can cause expensive implementation challenges. The F5 PCI DSS 3.0 solution allows organizations to protect cardholder data and remain in compliance while cutting costs, increasing efficiencies, and simplifying their network infrastructure. White Paper
Introduction Malicious attacks designed to steal credit card information are increasing, with more and more security breaches and data thefts. The Payment Card Industry Data Security Standard (PCI DSS) requirements have been revised in an attempt to prevent these attacks and keep customer data secure. New compliance standards set out in PCI DSS 3.0 have created challenges for large and small enterprises that must implement these changes. With increased complexity can come higher capital costs and operating expenses, a larger physical footprint, and difficulties in managing access and security. The F5 PCI DSS 3.0 solution allows organizations to remain in compliance with the new standards and keep sensitive credit card information private in a protected cardholder data environment (CDE). In addition, the benefits of consolidating security and access needs with one vendor can deliver increased efficiencies, cut costs, and enhance the scalability of an organization s network infrastructure. Challenges of Compliance For organizations that work with, process, or store credit card information, complying with the PCI DSS is a requirement. Maintaining an appropriate security posture helps ensure that customers private information remains private and that the organization avoids a costly, time-consuming, and embarrassing PCI DSS audit. However, complying with the changes in the new PCI DSS 3.0 can be difficult, whether organizations are building out a new CDE or simply enhancing their current infrastructure. Segmentation A new PCI DSS 3.0 requirement states that each server address only one primary function, so that server functions with different security levels don t co-exist on the same server. This ensures that the functions with high security needs remain uncompromised by those with lower security needs. Unfortunately, meeting this requirement can result in increased expenses as organizations must purchase additional hardware. Encryption Without secure authentication and encrypted communications, administrators IDs and passwords could be intercepted and used to access the network and steal sensitive information. To be in compliance with the new standards, organizations must encrypt all non-console administrative access using strong cryptography. 1
Access Management A change in standards stipulates that organizations must examine firewall and router configurations to verify that all outbound traffic from the CDE to the Internet is explicitly authorized. To be in compliance, all enterprises must deploy a secure proxy, which ensures that applications within the secure realm of the CDE cannot speak with and potentially be compromised by unauthorized outside applications. Network Firewall PCI DSS 3.0 calls for the implementation of a stateful network firewall that will restrict connections between untrusted networks and any system components in the CDE. Without this stateful firewall in place, organizations can be vulnerable to unauthorized access by malicious attackers. Web Application Firewall Finally, organizations must strengthen their security posture by protecting their critical web applications, which are often easy pathways for malicious attackers to gain access to sensitive cardholder data. Organizations can satisfy this requirement by reviewing public-facing web apps via application vulnerability software. Alternatively, they can install an automated web-application firewall in front of publicfacing web applications to continuously check all traffic. Bolstered Security, Increased Compliance To comply with new PCI DSS regulations, enterprises must segment their servers, deploy a network firewall, improve encryption, control access to and from the CDE, and mitigate threats to public-facing web applications. It s a tall order, but organizations can fulfill all these requirements, while at the same time optimizing application delivery, enhancing security, simplifying management, and cutting capital expenditures. Comply, Secure, and Optimize While no one vendor can ensure organizations adhere to every requirement in the new PCI DSS 3.0 standards, F5 delivers a targeted solution to help enterprises become PCI DSS 3.0 compliant. The F5 solution also offers the flexibility to deploy functions on a combination of physical and virtual Application Delivery Controllers (ADCs). Segmentation 2
Segmentation means more servers, which in turn means a larger physical footprint and increased expenditures. However, F5 BIG-IP virtual editions can do the work and satisfy the isolation requirement without necessitating an investment in additional hardware. By leveraging physical ADCs plus BIG-IP virtual editions, organizations can save time, money, and be more efficient all while remaining in compliance. Encryption F5 technology makes it easy to address the encryption requirement of the standards. BIG-IP Access Policy Manager (APM) available in a virtual edition offers vendor-agnostic support for virtual desktop infrastructure (VDI) that allows administrators to access the CDE in a secure and encrypted fashion from a remote environment. Access Management BIG-IP APM also fulfills the requirement that stipulates organizations must evaluate all outbound traffic from the CDE to ensure that it adheres to established rules. Administrators can confine traffic to only authorized communications by restricting addresses and ports, and blocking content, if necessary. Network Firewall BIG-IP Advanced Firewall Manger (AFM) delivers the stateful network firewall called for by the new standards. An evolved network firewall, BIG-IP AFM brings together security and deep application fluency to provide app-centric security at the network level protecting customer data and helping to ensure the integrity of the CDE. Web Application Firewall While organizations can adhere to the standards by deploying a vulnerability scanner or a web application firewall (WAF), the most effective solution is to integrate the data from scanning technology with the attack-mitigation power of a WAF. BIG-IP Application Security Manager (ASM) can identify, isolate, and block sophisticated attacks without impacting legitimate application transactions. Moreover, BIG-IP ASM integrates with many popular scanning products, so that it can take the scan data, identify any vulnerabilities, and create a virtual patch within the WAF within seconds. This virtual patching shortens the critical window of exposure and allows organizations to maintain the appropriate security posture, while minimizing the effect on the business. 3
PCI DSS 3.0 Clause Requirement F5 Solution 1.2 Network Firewall BIG-IP Advanced Firewall Manger 1.3.5 Access Management BIG-IP Access Policy Manager 2.2.1 Segmentation Leverage physical ADCs plus BIG-IP virtual editions 2.3 Encryption BIG-IP Access Policy Manager 6.6 Web Application Firewall BIG-IP Application Security Manager F5 technology allows organizations to efficiently address PCI DSS 3.0 standards. By implementing the F5 PCI DSS 3.0 solution, organizations can realize the many benefits of integrating and optimizing their security posture: Save time and money by reducing the scope of a PCI DSS audit. Consolidate access and security needs with one vendor on one platform. Reduce costs by deploying some of the isolated functions on virtual instead of physical ADCs. Segment the CDE with isolated virtual web application firewalls. Scale quickly and easily with flexible virtual ADC deployment options. Conclusion The new requirements in PCI DSS 3.0 can lead to daunting problems for organizations that need to remain in compliance while controlling costs and simplifying network infrastructure. Issues of segmentation, encryption, access control, and scale can cause costs to balloon and network complexity to grow. However, by implementing the F5 PCI DSS 3.0 solution, organizations can reduce hardware expenditures, seamlessly scale their infrastructure with hardware and virtual editions, and consolidate their security and access needs with one vendor on one platform all while fulfilling their compliance requirements and ensuring the security of sensitive credit card data. F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com Americas info@f5.com Asia-Pacific apacinfo@f5.com Europe/Middle-East/Africa emeainfo@f5.com Japan f5j-info@f5.com 2015 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0113 4