Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

The PCI Data Security Standard Published January 2005, ver 1.1 released Sept 7, 2006 Impacts ALL who Process Transmit Store: cardholder data VISA Europe Account Information Security Programme (http://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp ) Payment Card Industry Data Security Standard January 2005 2008 Cisco Systems, Inc. All rights reserved. 2 2

VISA PCI Categories of European Merchants Category Level 1 Merchants Level 2 Merchants Criteria Processed > 6,000,000 Visa transactions per year, compromised in the last year, identified as Level 1 by another card brand. 1 million 6 million transactions per year. Requirement - Annual onsite PCI Data Security Assessment - Quarterly network scan -Quarterly networks scan - Annual self-assessment Level 3 Merchants Level 4 Merchants 20,000 1 million e-commerce transactions per year < 20,000 VISA e-commerce transactions per year - Quarterly network scan - Annual self-assessment -Quarterly network scan recommended - Annual self-assessment Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp 2008 Cisco Systems, Inc. All rights reserved. 3 3

VISA PCI Categories of European Service Providers Category Level 1 Service Provider Level 2 Service Provider Criteria All VisaNet processors, payment gateways, and Internet Payment Service Providers regardless of transaction volumes Any SP that is not in Level 1 and stores, process or transmits >1 million VISA accounts/transactions annually Requirement - Annual onsite Security Audit - Quarterly network scan -Annual Onsite Security Audit - Quarterly networks scan Level 3 Service Provider Any SP that is not in Level 1 and stores, processes or transmits <1 million accounts/transactions annually - Quarterly network scan - Annual self-assessment Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp 2008 Cisco Systems, Inc. All rights reserved. 4 4

PCI Industry Updates US Level 1 Merchants Deadline is 30 Sept 2007; 65% are compliant (source: VISA US October 2007) European Merchant Deadline 2008 (source: VISA & American Express, October-November 2007) Impact of non-compliance = US Level 1 merchants US$25,000 per month fine or increase in credit card transaction fees 2008 Cisco Systems, Inc. All rights reserved. 5 5

The PCI Data Security Standard Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-toknow 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 2008 Cisco Systems, Inc. All rights reserved. 6 6

Cisco PCI Validated Architectures Cisco Validated Design includes: Recommended architectures for networks, payment data at rest and data in-transit. Testing in a simulated retail enterprise which include terminals, application servers, wireless devices, Internet connection and security systems. Configuration, monitoring, and authentication management systems. Architectural design guidance and audit review provided by PCI audit and remediation partners. Validated Design Small Retail Store PCI Audit Partner: Retail Solution Partners: 2008 Cisco Systems, Inc. All rights reserved. 8 8

Network Environment Blue Print Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7300 CS-MARS Catalyst ISR WAN 6500 FWSM IDSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 9 9

PCI Requirement 1 Install and maintain a firewall configuration to protect data Configuration standards, documentation Segment card holder data from all other data FW to public connections (Inbound & Outbound) Wireless Personal Firewall 2008 Cisco Systems, Inc. All rights reserved. 10 10

Requirement 1: Install and maintain a firewall configuration to protect data Mobile REMOTE LOCATION VLAN Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Store Worker PC Wireless device Catalyst Data VLAN ISR WAN E-commerce 6500 6500/7600 FWSM Card VLAN DATA CENTER Credit card storage 2008 Cisco Systems, Inc. All rights reserved. 11 11

PCI Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters Change vendor supplied defaults Wireless change wireless vendor defaults, disable SSID broadcasts, use WPA/WPA2 Configuration standards for all system components Implement one primary function per server Disable all unnecessary and insecure services and protocols 2008 Cisco Systems, Inc. All rights reserved. 12 12

Requirement 2: Do not use vendorsupplied defaults for system settings Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 13 13

PCI Requirement 2.1 for Wireless Verify that the Cisco Controller is, by default, configured for administrative restriction and AAA authentication for administrative users Verify that no default SSID is enabled on the WLC Disable/remove default SNMP strings of public/private Create new community strings Verify that default community strings are no longer accessible Configure administrative user either via initial controller setup script or via CLI Configure wireless system for WPA authentication Disable SSID Broadcast 2008 Cisco Systems, Inc. All rights reserved. 14 14

PCI Requirement 2.3 for Wireless Verify that the controller is enabled only for secure management protocols HTTPS (SSL) only Telnet disabled SNMPv1 disabled SSH permitted Verify that administrative access is denied to users accessing over unpermitted interfaces/addresses and verify that only encrypted protocols are permitted 2008 Cisco Systems, Inc. All rights reserved. 15 15

PCI Requirement 3 Protect Stored Data Keep cardholder data storage to a minimum Do not store the full contents of any track from the magnetic stripe (also called full track, track, track1, track 2 and magnetic stripe data), card-validation code or value, PIN Mask PAN when displayed, and render it unreadable when stored (hashed indexes, truncation, index tokens and pads, strong cryptography), disk encryption Document and implement key management processes 2008 Cisco Systems, Inc. All rights reserved. 16 16

Requirement 3: Protect Stored Data Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Wireless device E-commerce DATA CENTER Credit card storage 2008 Cisco Systems, Inc. All rights reserved. 17 17

Protect Stored Data From What? Cisco Security Agent () protects from copying cardholder information to removable media (USB sticks, CD ROMs, etc) Copying cardholder information to different file formats Printing cardholder information Saving information to a local machine Plus typical worm/virus protection (think e-commerce) 2008 Cisco Systems, Inc. All rights reserved. 18 18

PCI Requirement 4 Encrypt transmission of cardholder data across open, public networks Use SSL/TLS or IPSec, WPA for wireless If using WEP; Use with a minimum 104-bit encryption key and 24 bitinitialization value Use ONLY in conjunction with WPA/WPA2, VPN or SSL/TLS Rotate shared WEP keys quarterly (or automatically) Restrict access based on MAC address Never send unencrypted PANs by e-mail 2008 Cisco Systems, Inc. All rights reserved. 19 19

Requirement 4: Encrypt transmission of cardholder data across public networks Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Store Worker PC Catalyst ISR WAN 6500 6500/7600 FWSM Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 20 20

PCI Requirement 5 Use and regularly update anti-virus software or programs Deploy anti-virus software on all systems commonly affected by viruses AV programs capable of detecting, removing, and protecting against all forms of malicious software, including spyware and adware Ensure that all AV mechanisms are current, actively running, and capable of generating audit logs 2008 Cisco Systems, Inc. All rights reserved. 21 21

Requirement 5: Use and Regularly update anti-virus software REMOTE LOCATION INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER Mobile Cash Register Server IronPort NAC ACS CSM NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 22 22

PCI Requirement 6 Develop and maintain secure systems and applications Systems and software have latest vendor-supplied security patches installed. Install relevant security patches within one month of release Establish process to identify new security vulnerabilities (subscribe to alert services, etc) Develop SW applications based on industry best practices and incorporate security throughout SW development lifecycle Develop web application based on secure coding guidelines such as the Open Web Application Security Project Web-facing applications are protected against known attacks by installing an application layer firewall in front of web-facing applications, or review application code by a specialized application security organizations 2008 Cisco Systems, Inc. All rights reserved. 23 23

Requirement 6: Develop and maintain secure systems and applications Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 24 24

PCI Requirement 7 Restrict access to cardholder data by business need-toknow Limit access to computing resources and cardholder information only to those individuals whose job requires such access Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. 2008 Cisco Systems, Inc. All rights reserved. 25 25

Requirement 7: Restrict access to data by business need-to-know Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 26 26

PCI Requirement 8 Assign a unique ID to each person with computer access Identify all users with a unique user name before allowing access to system components or cardholder data In addition, employ one method of authentication (password, token devices [SecureID, certificates or public key], biometrics) Implement 2-factor authentication Encrypt all passwords during transmission and storage 2008 Cisco Systems, Inc. All rights reserved. 27 27

Requirement 8: Assign a unique ID to each person with computer access Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 28 28

PCI Requirement 9 Restrict physical access to cardholder data Facility entry controls and monitor physical access to systems that store, process or transmit cardholer data Cameras to monitor sensitive areas Restrict physical access to network jacks, wireless access points, gateways, and handheld devices Distinguish between employees and visitors Visitor log in, physical token, authorization before entering area Physically secure card holder data media Destroy media when it is no longer needed 2008 Cisco Systems, Inc. All rights reserved. 29 29

PCI Requirement 10 Track and monitor all access to network resources and cardholder data Implement automated audit trails Record audit trail entries Secure audit trails so they cannot be altered Review logs for all system components at least daily Destroy media when it is no longer needed Retain audit trail history for at least one year, with a minimum of three months online availability 2008 Cisco Systems, Inc. All rights reserved. 30 30

Requirement 10: Track and Monitor all access to network and cardholder data Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 31 31

CS-MARS Events for PCI/CobiT Compliance Tracking For your reference PCI 1. Firewall MARS Reports Network Usage - Top Destination Ports Network Usage Inbound - Top Ports Network Usage Inbound - Top Destinations Network Usage Outbound - Top Ports Network Usage Outbound - Top Destinations Denies Inbound - Top Destination Ports Denies Inbound - Top Destinations Denies Inbound - Top Sources Denies Outbound - Top Destination Ports Denies Outbound - Top Destinations Denies Outbound - Top Sources Attacks Prevented - Top Reporting Devices Concurrent Connections - Top Devices CobiT DS 5.20 FW Architectures 2008 Cisco Systems, Inc. All rights reserved. 33 33

PCI Requirement 11 Regularly test security systems and processes Use a wireless analyzer at least quarterly to identify all wireless devices in use Run internal and external network vulnerability scans at least quarterly and after any significant change in the network Perform penetration testing at least once a year and after any significant upgrade or modification Use NIDS/IPS, HIDS/HIPS Deploy file integrity monitoring software to perform critical file comparisons at least weekly 2008 Cisco Systems, Inc. All rights reserved. 34 34

Requirement 11: Regularly test security systems and processes Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 35 35

PCI Requirement 12 Maintain a policy that addresses information security for employees and contractors Establish, publish, maintain, and disseminate a security policy Develop usage policies for critical employee-facing technologies Implement a security awareness program Implement an incident response plan If cardholder data is shared with service providers, the SP must adhere to the PCI DSS requirements 2008 Cisco Systems, Inc. All rights reserved. 36 36

Requirement 12: Maintain a policy that addresses information security Mobile REMOTE LOCATION Cash Register Server INTERNET EDGE IronPort MAIN OFFICE NETWORK MGMT CENTER ACS CSM NAC NCM/CAS 7200/7300 CS-MARS Catalyst ISR WAN 6500 6500/7600 FWSM Store Worker PC Credit card storage Wireless device E-commerce DATA CENTER 2008 Cisco Systems, Inc. All rights reserved. 37 37

Cisco Solution for PCI 1200 REMOTE LOCATION Terminal Store Worker PC Wireless device Server 5500 Cisco Security Agent () ISR WAN INTERNET EDGE 7300 router IronPort E-commerce MAIN OFFICE 6500 NETWORK MGMT CENTER NAC ACS 6500/7600 FWSM DATA CENTER Cisco Security Management Credit card storage NCM/CAS CS-MARS Requirement 1 Requirement 2 Requirement 3 Requirement 4 Requirement 5 Requirement 6 Requirement 7 Requirement 8 Requirement 9 Requirement 10 Requirement 11 Requirement 12 2008 Cisco Systems, Inc. All rights reserved. 38 38

Summary - Key Take Aways PCI is moving rapidly to global importance PCI Compliance encompasses Security Best Practices Work closely with Approved Scan Vendor and Qualified Security Assessor to understand expectations Use Cisco s PCI Validated Architectures as a guide to ease design and implementation 2008 Cisco Systems, Inc. All rights reserved. 46 46

More Information Cisco Compliance information http://www.cisco.com/go/compliance http://www.cisco.com/go/retail VISA Cardholder Information Security Program http://www.visaeurope.com/aboutvisa/security/ais/aisprogramme.jsp MasterCard PCI Merchant Education http://www.mastercard.com/us/sdp/education/pci%20merchant%20edu cation%20program.html PCI Security Standards Council https://www.pcisecuritystandards.org/ 2008 Cisco Systems, Inc. All rights reserved. 47 47