Best Practices for PCI DSS Version 3.2 Network Security Compliance

Similar documents
90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Carbon Black PCI Compliance Mapping Checklist

Total Security Management PCI DSS Compliance Guide

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

University of Sunderland Business Assurance PCI Security Policy

Insurance Industry - PCI DSS

Addressing PCI DSS 3.2

AWS Reference Design Document

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

The Honest Advantage

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Payment Card Industry (PCI) Data Security Standard

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

LOGmanager and PCI Data Security Standard v3.2 compliance

SECURITY PRACTICES OVERVIEW

FairWarning Mapping to PCI DSS 3.0, Requirement 10

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

Standard CIP Cyber Security Systems Security Management

SecureTrack. Supporting SANS 20 Critical Security Controls. March

Total Protection for Compliance: Unified IT Policy Auditing

Operationalizing NSX Micro segmentation in the Software Defined Data Center

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Education Network Security

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

locuz.com SOC Services

Simple and Powerful Security for PCI DSS

FireMon Security manager

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018

Privileged Account Security: A Balanced Approach to Securing Unix Environments

The Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an

Help Your Security Team Sleep at Night

Will you be PCI DSS Compliant by September 2010?

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

PCI DSS Compliance. White Paper Parallels Remote Application Server

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

The Evolution of Data Center Security, Risk and Compliance

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

A Practical Guide to Network Segmentation

THE TRIPWIRE NERC SOLUTION SUITE

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

GlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Daxko s PCI DSS Responsibilities

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Clearing the Path to PCI DSS Version 2.0 Compliance

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Automating the Top 20 CIS Critical Security Controls

Maximizing IT Security with Configuration Management WHITE PAPER

in PCI Regulated Environments

LogRhythm Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Standard CIP 007 3a Cyber Security Systems Security Management

CA Security Management

Escaping PCI purgatory.

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

Firewall Configuration and Management Policy

Standard CIP Cyber Security Systems Security Management

Standard CIP 007 4a Cyber Security Systems Security Management

PCI PA-DSS Implementation Guide

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Information Technology Procedure IT 3.4 IT Configuration Management

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Safeguarding Cardholder Account Data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

The Prioritized Approach to Pursue PCI DSS Compliance

Accelerate Your Enterprise Private Cloud Initiative

The Prioritized Approach to Pursue PCI DSS Compliance

Network Security Policy

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Ready Theatre Systems RTS POS

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Payment Card Industry (PCI) Data Security Standard

PCI Compliance: It's Required, and It's Good for Your Business

Industrial Defender ASM. for Automation Systems Management

Simplify PCI Compliance

Best practices with Snare Enterprise Agents

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

PCI DSS COMPLIANCE 101

Transcription:

Best Practices for PCI DSS Version 3.2 Network Security Compliance www.tufin.com

Executive Summary Payment data fraud by cyber criminals is a growing threat not only to financial institutions and retail organizations, but to enterprises everywhere in practically every industry. As a result, the Payment Card Industry Data Security Standard (PCI DSS) is one of the most wide-reaching standards today. The goal of PCI DSS is to encourage and enhance payment data security and facilitate the broad adoption of consistent data security measures globally. It protects against fraud and security threats by providing a baseline of technical and operational requirements designed to protect payment data. To comply with the PCI DSS, IT managers and PCI internal auditors must perform periodic audits every 6 months (every 3 months is recommended). Furthermore, the PCI DSS Council updates the standard periodically to remediate growing threats by cybercriminals. Therefore, complying with the latest PCI DSS standard and ensuring that the enterprise network is audit ready is a pressing concern of many IT managers and PCI internal auditors today. Yet, according to Dark Reading, 7 out of 10 companies that achieve PCI compliance fail to maintain that status even for a year. Verizon s research showed that only 28.6% of companies managed to remain compliant for the full year between annual assessments. So maintaining compliance and audit-readiness is certainly a challenge. This paper provides information to IT managers and PCI internal auditors for understanding network security needs and best practices to mitigate payment data cyber threats as well as the related requirements for PCI DSS version 3.2 audits. Tufin s network security expertise enables excellent support for PCI internal auditors, IT managers and their network operation teams to design, plan and integrate the changes required for PCI DSS compliance into business-as-usual activities. The Tufin Orchestration Suite solution supports IT managers and PCI internal auditors to lessen their compliance headache. Protecting Payment Data with PCI DSS The PCI DSS defines 12 high-level requirements, grouped into 6 control objectives. To comply, PCI internal auditors or IT managers perform periodic audits every 6 months (3 months recommended). Audits demonstrate compliance via numerous testing procedures and sub-requirements, as seen in the table: PCI DSS Control Objectives Build and Maintain a Secure Network and Systems Protect Cardholder Data Requirement Description 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Best Practices for PCI DSS v3.2 Network Security Compliance 2/8

9. Restrict physical access to cardholder data Regularly Monitor and Test Networks Maintain an Information Security Policy 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel The main PCI DSS principle: Payment data is only as secure as the pathways that provide access to it. On the one hand, PCI DSS requirements are designed to ensure that network security practices eliminate or minimize known risks. On the other hand, they ensure that the organization defines wellstructured policies, procedures and practices that can be tracked and audited. To ensure both secure data pathways and adherence to strict network security policies, PCI DSS requires: Specific guidelines for processing card payments to help prevent payment data fraud, skimming and other security threats Aligning with the industry best practices to increase the trust of both customers and partners Limiting external network access to sensitive data, combined with a formal process for monitoring all changes to firewall configuration and cloud security groups Tracking and auditing of firewall and cloud operations regularly, including clear definitions of roles and responsibilities Strictly limiting internal organizational access to sensitive data Documenting, enforcing and auditing all operational procedures and practices In summary, PCI DSS demands that organizations maintain continuous compliance through an ongoing process of: Assess, Remediate and Report. 1 To comply, your IT organization must have an accurate picture of your compliance posture, the tools to address issues, and the ability to demonstrate compliance through internal and external audits. Complying with PCI DSS Network Security Challenges About 40% of PCI DSS is related to network security, but this is really the crux of the headache, pitfalls and disturbance for PCI internal auditors, IT managers and their teams. For network security teams to integrate a repeatable compliance procedure that doesn t disrupt business-as-usual, it s simply not feasible for IT managers and PCI internal auditors to manually manage and test. The many IT tasks involved in documenting, tracking and auditing network security procedures manually can take weeks. The numerous security devices (firewalls, routers and others), with each device managing hundreds to thousands of rules makes for an extremely complex enterprise network environment. To ensure compliance, the team must have a clear visibility to the network topology, the routing flow of data around the network, and the setting of all security devices (as there are many paths to move between network segments, and all paths should be configured based on the desired policy). Therefore, PCI DSS compliance requires the right set of tools and automated solutions for visibility, alerting and quick breach fixes. 1 https://www.pcisecuritystandards.org/security_standards/getting_started.php Best Practices for PCI DSS v3.2 Network Security Compliance 3/8

Seven PCI DSS Best Practices for Network Security Since PCI DSS is the de-facto standard that any company processing credit cards must comply to, IT managers and PCI internal auditors continually align their enterprise security program to achieve this goal. Before getting into the PCI DSS requirement details, it s good to look at what s worked at many enterprises to enforce and remediate PCI network security compliance. Tufin networking experts gathered valuable learning and best practices from their PCI implementation experience. If IT managers and PCI internal auditors do it right, their work on PCI compliance can also be a springboard for their organization into continuous network security and more effective work processes. Tufin s 7 best practices for network security compliance are: 1) Create a clear separation with proper network segmentation of PCI data, PCI application, and PCI web within the network (DMZ, Internal and Internet) 2) Ensure that you have an enterprise-wide network change workflow process in place that meets PCI requirements 3) Ensure that every network change has a complete audit trail with the who, what, when, and why 4) Validate every network change with the following: a. Analyze the change for risks as defined in your security policy b. Get approval by the business owner c. Ensure the changes are implemented according to the PCI-compatible network change workflow 5) Ensure that firewalls protecting PCI zones work with the following guidelines: a. Every rule has a comment b. Every rule has a log c. No rules with Any in the Src, Dest, and Srv d. No rules with risky services (un-encrypted) e. Delete unused rules 6) Ensure every firewall rule and cloud security groups is documented properly with the following info: a. Business justification b. Business owner c. Application name 7) Ensure that you keep firewall and cloud security groups logs for at least 12 months Best Practices for PCI DSS v3.2 Network Security Compliance 4/8

Audit Readiness Through Continuous Compliance PCI DSS v3.2 compliance can be a great opportunity to get the buy-in and budgets to ensure network security is geared for ongoing success For IT managers and PCI internal auditors to set high, sustainable security standards, Tufin experts suggest paying special attention to subrequirements within PCI DSS requirement 1. When IT managers take a broader look at PCI requirement 1, not just with an eye on getting PCI compliance, these requirements open the door for implementing ongoing network security solutions. Otherwise, they tend to be problematic since they rely on manual processes that no longer scale to meet the needs of the business an increasingly common scenario. In any case, enterprises with large firewall estates need to automate firewall operations to meet business reality. While large-scale deployments are always intense, introducing some long term improvements that align PCI compliance efforts with your organization's specific security needs can be a good way to make the effort even more worthwhile and have long-term effect on the enterprise. To overcome the common network security and PCI DSS compliance challenges, IT managers and PCI internal auditors can gain insights by drilling down into 5 requirements. Additional best practices for focusing efforts on achieving both compliance and ongoing success are revealed: 1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations. PCI internal auditors need to show that a clearly defined, enforceable change process for firewall policies exists. The PCI external auditor will ask to see a change report with a full audit trail, and then select some random changes and request to see the sign off. The Challenge: Many organizations still don't have a change process in place or, if they do, it s too loose or relies on good will rather than formal procedures. Best Practice: The best way to implement formal, auditable change processes is to by using an adequate tool for the task. 1.1.6 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP. This sub-requirement is concerned with three main risks: 1. Are the connections required for business known? 2. Are firewalls and cloud security groups implementing the Principle of Least Privilege? Allowing only connections that are required for business? 3. Are any of these connections insecure? Do compensating controls for them exist? The Challenge: Most organizations don't have an up to date list of services that are required for business. In the best case, documentation per firewall rule/cloud security group exists. Most likely some connections contain insecure services (NOTE: For PCI, the list is open to interpretation by the auditor). Best Practice: IT managers need to make sure they know about each of these services in advance with relevant justifications from a security perspective. Best Practices for PCI DSS v3.2 Network Security Compliance 5/8

1.1.7 Requirement to review rule sets for firewalls, routers and cloud security groups at least every six months IT managers and PCI internal auditors need to have proof that a process exists and working to meet this requirement. Complying with this requirement usually entails having a report to show rule sets were in fact reviewed, and that any questionable rules from the last audit were addressed, and that any changes to rules since the last audit were dealt with properly (i.e. old or non-compliant rules/objects were dealt with). Best Practice: Around one third of companies fail to provide the required documentation to satisfy the PCI external auditor on this point because of poor processes. Therefore, ensure your processes are up to date and functioning. 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the payment data environment Usually the PCI external auditor is looking for a set of rules that permit specific PCI services (approved known protocols used by the PCI servers) followed by an explicit drop rule for all other traffic. Exceptions must include proper documentation (such as rule comments) that makes sense to the auditor. Best Practice: Around one quarter of businesses find it difficult to correctly restrict inbound access; setting explicit drop rules is much easier. Proper definition of PCI services and PCI zones make compliance much simpler. So it s important to ensure that the PCI external auditor agrees to the contents of PCI services and PCI zones. If IT managers and PCI internal auditors can prove that an active alerting mechanism to prevent noncompliant changes exists, the enterprise is audit ready. 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ IT managers need to allow traffic from the Internet to specific servers (IP Addresses) in the DMZ everything else should be dropped. Proper definition of traffic that is Internet (i.e. all non-local IP addresses) and proper definition of the accessible IPs within the DMZ are critical for compliance. Plus, the PCI external auditor must agree that definitions are correct. Best Practice: If definitions are in place, an active alert mechanism for unauthorized traffic is what s needed for IT managers to ensure network security. 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet To do this, network operation teams need to properly define the 'Internet' and 'cardholder data' environments, or in other words, create network segmentations that can be isolated. The PCI external auditor wants to see that there is no direct access between these entities, and that there is proper evidence for this. Best Practice: If IT managers document and manage access with the right tools, PCI DSS auditing becomes part of the everyday IT and business activities: 1) Ensure documentation is ready 2) Prove serious about maintaining compliance Best Practices for PCI DSS v3.2 Network Security Compliance 6/8

Quick PCI DSS v3.2 Network Security Checklist IT managers and PCI internal auditors can use the PCI DSS Network Security Checklist for preparing for audits. The checklist summarizes the key PCI DSS Requirements and Testing Procedures related to network security. If best practices for network security have been implemented in the organization, the PCI DSS audit becomes a healthy routine versus a compliance headache. To meet the requirements related to network security in an efficient, quick and manageable way, Tufin s PCI DSS solution helps organizations with tools for compliance with version 3.2: PCI DSS Requirements & Testing Procedures Tufin s PCI DSS 3.2 Solution Build and maintain a secure network and systems Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards 1.1 Establish and implement firewall and router configuration standards that include the following: Inspect the firewall and router configuration standards and other documentation specified below and verify that standards are complete and implemented as follows: 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations 1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks 1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone 1.1.6a Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification and approval for each. 1.1.7 Requirement to review firewall and router rule sets at least every six months 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. (1.2.1a, 1.2.1b, 1.2.1c) 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment (1.3.1,1.3.2,1.3.4,1.3.6) 2.2.2 Enable only necessary services, protocols, daemons, etc., as required for the function of the system. 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure 2.2.4 Configure system security parameters to prevent misuse Automation and documentation of all firewall and router configuration changes, PCI firewall and router checks, PCI requirements deviation detection and reporting Automation and documentation of all firewall and router configuration changes PCI zone mapping and network topology map PCI firewall and router checks, PCI requirements deviation detection and reporting USP, policy browser, rule properties and documentation PCI compliance report, USP and violations dashboard PCI firewall and router connection checks, USP, violations dashboard and reporting Central network management for firewall and router to restrict traffic between Internet and PCI zone via the USP USP, rule documentation and policy browser Tufin Orchestration Suite support of TLS v1.2 for encrypting communications between internal processes. Note: Users must ensure that other devices, daemons, and services use secure encryption for any communications. USP, configuration of rule properties to identify unused rules Best Practices for PCI DSS v3.2 Network Security Compliance 7/8

Track and monitor all access to network resources and cardholder data 10.1 Implement audit trails to link all access to system components to each individual user. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (e.g., online, archived, or restorable from backup). 10.8 Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of: Firewalls, IDS, FIM, anti-virus, physical access controls, logical access controls, audit logging mechanisms, segmentation controls (if used) Full accountability of policy changes with automated audit trail and reports Traffic logs, retrieval of device and policy usage information for any user-configurable time-range SecureTrack dashboard, violations browser and standard report; SecureChange workflow change automation; standard reports As most enterprises are adopting public and/or private cloud platforms, it is important to note that although the PCI DSS standard relates predominantly to firewall environments, the Tufin Orchestration Suite solution for network security policy management supports all leading network security platforms, including hybrid cloud. To summarize, the Tufin Orchestration Suite solution provides the following benefits for PCI DSS 3.2 compliance needs: Reduced time and effort required for audit readiness through continuous compliance, including automated audit trail of full accountability with documentation Proactive risk analysis to avoid security and compliance violations Implementation of network changes in minutes instead of days Increased control with a unified console supporting all leading enterprise network security platforms (traditional networks and firewalls, SDN and cloud platforms) Automated provisioning and end-to-end orchestration for multi-vendor environments to reduce complexity and human error Flexible, customizable workflows for full integration into enterprise ITSM processes For more information on using the Tufin Orchestration Suite for PCI DSS v3.2 compliance, please refer to the Tufin Knowledge Center Technical Notes on Security and Compliance, Implement PCI DSS v3 Using Unified Security Policy at https://forum.tufin.com/support/kc/latest/implementing_pci- DSS_Using_USP.htm Copyright 2016 Tufin Tufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. Best Practices for PCI DSS v3.2 Network Security Compliance 8/8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback