Wireless Networking and PCI Compliance

Similar documents
ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Motorola AirDefense Retail Solutions Wireless Security Solutions For Retail

6 Vulnerabilities of the Retail Payment Ecosystem

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Total Security Management PCI DSS Compliance Guide

Will you be PCI DSS Compliant by September 2010?

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

The Honest Advantage

Donor Credit Card Security Policy

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Credit Card Data Compromise: Incident Response Plan

Complying with PCI DSS 3.0

PCI Compliance Assessment Module with Inspector

Navigating the PCI DSS Challenge. 29 April 2011

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

University of Sunderland Business Assurance PCI Security Policy

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

LOGmanager and PCI Data Security Standard v3.2 compliance

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

SECURITY PRACTICES OVERVIEW

FairWarning Mapping to PCI DSS 3.0, Requirement 10

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

A QUICK PRIMER ON PCI DSS VERSION 3.0

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

PCI DSS COMPLIANCE 101

PCI COMPLIANCE IS NO LONGER OPTIONAL

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

How can OSSIM help you with your PCI DSS Wireless requirements?

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Wireless Network Security

Payment Card Industry Data Security Standards Version 1.1, September 2006

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

HIPAA Compliance Assessment Module

GUIDE TO STAYING OUT OF PCI SCOPE

Cisco Adaptive Wireless Intrusion Prevention System: Protecting Information in Motion

PCI DSS COMPLIANCE DATA

Client Computing Security Standard (CCSS)

Self-Assessment Questionnaire A

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Site Data Protection (SDP) Program Update

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

Automating the Top 20 CIS Critical Security Controls

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

PCI compliance the what and the why Executing through excellence

Payment Card Industry (PCI) Data Security Standard

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

PCI Compliance. Network Scanning. Getting Started Guide

PCI and the Solution Framework

Simple and Powerful Security for PCI DSS

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Escaping PCI purgatory.

Daxko s PCI DSS Responsibilities

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

CompTIA Cybersecurity Analyst+

Section 1: Assessment Information

IBM Managed Security Services - Vulnerability Scanning

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

in PCI Regulated Environments

Total Protection for Compliance: Unified IT Policy Auditing

Payment Card Industry - Data Security Standard (PCI-DSS)

PCI DSS Compliance. White Paper Parallels Remote Application Server

A Security Admin's Survival Guide to the GDPR.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Section 1: Assessment Information

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

WHITE PAPER. PCI Wireless Compliance Demystified Best Practices for Retail

Introduction to the PCI DSS: What Merchants Need to Know

PCI Compliance: It's Required, and It's Good for Your Business

Clearing the Path to PCI DSS Version 2.0 Compliance

Cisco Network Admission Control (NAC) Solution

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

The PCI Security Standards Council

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

Evolution of Cyber Attacks

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Integrated Access Management Solutions. Access Televentures

Best practices with Snare Enterprise Agents

Payment Card Industry (PCI) Data Security Standard

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

COMPLETING THE PAYMENT SECURITY PUZZLE

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Achieving PCI Compliance: Long and Short Term Strategies

The Common Controls Framework BY ADOBE

INFORMATION SECURITY BRIEFING

Payment Card Industry (PCI) Data Security Standard

Best Practices for PCI DSS Version 3.2 Network Security Compliance

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Transcription:

Wireless Networking and PCI Compliance The Importance of PCI Compliance Credit cards account for more than $2.5 trillion in transactions a year and are accepted at more than 24 million locations in more than 200 countries and territories. It is estimated that there are 10,000 payment card transactions made every second around the world. 1 All organizations that accept payment cards are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). They must comply with this security standard whether or not they use wireless technology to process credit card data. Organizations that are not PCI-compliant risk significant fines and other consequences. Noncompliance is established in several ways - for instance, through audits that find unsecured transactions or as a result of verified security breaches. The impact on profitability includes card replacement costs and customer fear, which can quickly lead to a damaged brand and lost sales, expensive forensic audits, lawsuits, and liability claim compensation. 2 If becoming compliant seems like a costly upfront investment, consider that compliance is not only mandatory for any organization that handles payment card data, but also provides a useful, auditable framework within which an organization can actively and continuously pursue greater security for cardholder data and other data. This paper aims to provide an understanding of PCI DSS and direction for a variety of different organizations in applying the criteria to wireless infrastructure, connectivity, size and current payment card security preparedness. Additionally, this paper will make recommendations for wireless security actions and architectures that organizations ought to employ in order to attain and maintain PCI compliance as the consequences of noncompliance intensify over time. Wireless Guidelines for PCI Compliance Wireless requirements are outlined in the PCI DSS Wireless Guidelines. The requirements break down into five action mandates 3 : 1. Maintain a hardware inventory 2. Perform scanning for rogue access points (access points) 3. Segment cardholder data from other network traffic 4. Maintain physical security of wireless devices 5. Enforce wireless usage policies Let s look at each of these required steps in detail. Maintaining a Hardware Inventory Maintaining an inventory of the hardware infrastructure is an essential step in avoiding physical security breaches by malevolent outside parties or by internal personnel who bypass procedures. A hardware inventory also aids in the rapid detection of stolen or otherwise missing data. 1 (Source: American Bankers Association, March 2009) 2 http://www.pcicomplianceguide.org/pcifaqs.php 3 https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_navigating_dss.pdf 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 5

Scanning for Rogue Access Points PCI DSS requirement 11.1 states that an organization must test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis. Requirement 11.1 goes on to note that methods that may be used in the process include, but are not limited to, wireless network scans, physical site inspection, network access control or wireless intrusion detection systems/intrusion prevention systems (IDS/IPS). While you can use several methods to achieve this goal, we recommend the use of wireless IDS/IPS. The PCI DSS requirements state that it is essential to do regular scans (at least quarterly) to find out if rogue devices have been introduced into the network and to alert personnel. However, threats to network security are often not long-term conditions. These threats are likely to occur in between quarterly scans, creating the need to continuously scan for rogue access - that is, access by any device that has a wireless interface and that is not an intended part of the environment. You can further secure the environment by using automatic alerts and containment mechanisms. When you incorporate the Cisco Wireless Control System (WCS) in your network, you gain the ability to understand and log potential network compromises. As Figure 1 shows, WCS scans for and categorizes rogue devices. Figure 1. Using Cisco WCS to Track and Locate Rogue Devices Other approaches include using wired side scanning tools. However, port scanning on the wired network is not enough, because it does not recognize disguised access points. What s more, the use of wired network port scanning requires organizations to go through a compensating controls process to seek approval by a Qualified Security Assessor or the company s Acquiring Bank for deviating from the standard. According to PCI DSS 2.0, Appendix B, Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk... The only true way to identify rogue wireless access is by monitoring the wireless network. Page 10 of the PCI DSS Wireless Guideline 4, released in June of 2009 states: Relying on wired side scanning tools (e.g. tools that scan suspicious hardware MAC addresses on switches) may identify some unauthorized wireless devices; however, they tend to have high false positive/negative detection rates. Wired network scanning tools that scan for wireless devices often miss cleverly hidden and disguised rogue wireless devices or devices that are connected to isolated network segments. Wired scanning also fails to detect many instances of rogue wireless clients. A rogue wireless client is any device that has a wireless interface that is not intended to be present in the environment. Physical inspection is just as ineffective as port scanning, if not more ineffective. Wrongdoers can use ad-hoc wireless bridges and evil-twin access points to acquire cardholder data without physically attaching to the network. Also, physical inspection will do very little against reconnaissance activities or cracking tools that can lead to denialof-service attacks. 4 https://www.pcisecuritystandards.org/pdfs/pci_dss_wireless_guidelines.pdf 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 5

Wireless analyzers can range from freely available PC tools to commercial scanners and analyzers. The goal of all of these devices is to "sniff" the airwaves, to "listen" for wireless devices in the area and identify them. Using this method, a technician or auditor can walk around each site and detect wireless devices. The person would then manually investigate each device to determine if it allows access to the Cardholder Data Environment (CDE) and classify them as rogues or friendly neighboring wireless devices. Although this method is technically possible for a small number of locations, it is often operationally tedious, error-prone, and costly for organizations that have several CDE locations. For large organizations, it is recommended that wireless scanning be automated with a wireless IDS/IPS system. Although the PCI DSS standard does not directly state what the output of wireless analysis should be, it does imply that it should be created, reviewed often, and used to mitigate the risk of unauthorized or rogue wireless devices. At a minimum, the list of wireless devices should clearly identify all rogue devices connected to the CDE. To comply with the intent of PCI DSS requirement 11.1, companies should immediately eliminate the rogue threat in accordance with PCI DSS requirement 12.9 and rescan the environment at the earliest possible opportunity. Segmenting Cardholder Data from Other Network Traffic Interpreting the conditions you must meet to be fully compliant with PCI requirements can be complicated. This is especially true for the task of segmenting the wireless network. PCI DSS treats any data that is not completely separated from the CDE as relevant to an auditor s assessment of PCI compliance, or simply as in scope. This means that an organization must completely segment any data that it prefers not to have included in a PCI compliance analysis. In addition, PCI DSS mandates that if a wireless network is not in the scope of cardholder data, it must remain completely isolated from the CDE using a stateful firewall in order to block unauthorized users from accessing it. PCI DSS develops this instruction further by asserting that the firewall must Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. Maintaining the Physical Security of Wireless Devices While a network is considered to be secure when regular scanning is performed and a stateful firewall is implemented, an organization cannot claim complete security without physically protecting the network and doing everything possible to ensure that unauthorized individuals cannot access, change, or impair the data that is being transmitted. To maintain the physical security of wireless data, you must have a person at each physical location who is responsible for checking if equipment has been tampered with or compromised in any way. This person must manually assess (utilizing vendor guidance) the security of the access points, wireless controllers, and any other physical pieces of the organization s WLAN. This process can be simplified through vendor-supplied support tools that work in conjunction with mounted access points and controllers to allow customization of how the system grants user authorization, logs WLAN activity, and disables rogue devices. Cisco access points are easily mounted to ceilings and walls and are plenum rated, with the option to place the access point in the ceiling. Cisco mounting brackets block physical access to the reset button, Ethernet, and console ports. Enforcing Wireless Security Policies Specific recommendations in the PCI DSS for wireless usage policies include: Change default settings Use strong wireless authentication 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 5

Use strong encryption when transmitting cardholder data Cisco provides businesses with a PCI analysis toolset that is easily integrated into an organization s existing IT and security strategies. With one click, Cisco s Wireless Control System (WCS) can provide reports including information about devices and configurations, potential network gaps relative to PCI DSS requirements and prioritized recommended remediation plans for closing such gaps. Finally, the WCS simplifies the process of defining access point placement and determining access point coverage areas during the initial wireless network deployment. This makes it easier to include security strategies as part of the rollout, and helps to ensure better coverage and a more secure network. WCS also identifies when pre-shared keys and passwords are being utilized. Cisco access points have an added security feature that helps prevent breaches even if an attacker gains physical access to the device. If a Cisco access point is reset, the access point looks to the WLAN controller for configuration settings, rather than resetting to factory defaults. Factory default settings leave an access point vulnerable to attack by anyone who has access to the factory default credentials, which are readily available on the Internet. Solution Architectures for Specific Organization Profiles It is important to assess how an organization s network is deployed in order to understand the security architecture and management tools required to meet PCI compliance requirements. There are two circumstances that are most typical for organizations that accept payment cards and therefore need to protect the CDE. Case 1: Using a Wireless Scanning Overlay When There Is No Wireless Transmission of Cardholder Data Some organizations do not transmit cardholder data wirelessly but plan to achieve PCI compliance through a wireless scanning overlay solution. These organizations can protect cardholder data from out-of-scope devices by incorporating access points operating in monitor mode and using an appropriate controller. Without wireless scanning, out-of-scope devices would go unrecognized, potentially allowing cardholder data to be acquired. Case 2; Securing the Wireless Network When Cardholder Data Is Transmitted Wirelessly When an organization transmits cardholder data wirelessly, there is an even greater need to monitor wireless traffic and help ensure that all (wired) cardholder data is segmented from wireless transmissions that may be infiltrated. In order to guarantee sufficient monitoring and reporting along with ample segmentation, an organization s wireless architecture would have to include: Access points, locally or centrally positioned or both Controllers (with sufficient IDS/IPS to maintain updated baselines and signatures to ensure optimal protection) Cisco Wireless Control System and Cisco Security Manager A stateful firewall Cisco offers two firewall options certified to meet stateful firewall requirements: the Cisco ASA 5500 Series Adaptive Security Appliance and Cisco Integrated Services Routers running Cisco IOS Security. Organizations can choose the option that best integrates with the existing network. Wireless technology offers considerable advantages. However, if cardholder or point-of-sale (PoS) data is transmitted over a WLAN, the organization may need to be more vigilant than it would otherwise need to. There are a number of ways in which your organization can protect customers and itself long term. Initially, an organization needs to understand that investing in appropriate wireless architecture will block opportunities for outside parties and malicious rogues to infiltrate the network. By following a Cisco validated design guide, your organization can help ensure that essential security, data gathering, and management instruments are available and 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 5

applied correctly from the outset. In addition, if your organization relies on its wireless network to transmit data, you must have tools to simplify the management of wireless access and usage. Providing Security Beyond PCI Compliance PCI compliance is critical for any organization that processes credit card data. However, basic PCI compliance does not mean that customer data is 100 percent protected from those seeking to hack into a network and to steal card data for their own personal gain. Many organizations prudently choose to secure their wireless networks beyond the principal requirements set by the PCI DSS. In addition to Cisco access points, wireless controllers, the Cisco WCS. the Cisco Security Manager, a stateful firewall, organizations may want to include an adaptive wireless intrusion prevention system (wips) that resides on the Cisco Mobility Services Engine (MSE). Other security measures include additional monitor mode access points and Cisco CleanAir technology for performance protection and interference mitigation. Any bundle of security-boosting products can be further enhanced through professional services. These services may include validated design guides, deployment assistance, and ongoing professional management. Working with an expert in the field allows for an efficient, consistent experience that can greatly simplify the PCI compliance process. Cisco offers a wide variety of professional services, including both wireless and security- related offerings. Summary By using Cisco s end-to-end solution, you can take advantage of the network to manage business opportunities efficiently and cost-effectively and to help ensure that the network and all employee, customer, and inventory data is protected. It is important to remember that networks are complex systems: even with high-quality individual components, the network will be neither secure nor compliant without having been planned and built correctly. Cisco validated designs include all of the tools and actions necessary for a company to proceed with confidence. A Cisco partner can expect recommended architectures for networks, as well as for payment data that is in-transit or stationary in the database. PCI audit and remediation partners can help with design guidance and audit reviews. In addition to creating the most up-to-date design and implementation guide to the tools for PCI compliance, Cisco will perform testing in a simulated environment along with configuration, monitoring, and authentication management systems. From simple overlay solutions to comprehensive wireless scanning, detection and eradication tools, Cisco is prepared to enable your organization s personalized PCI compliance toolset. A Note on PCI DSS 2.0 PCI DSS 2.0, in effect as of January 2011, has been updated for clarity, reduced redundancy and requirement evolution. The document and comprehensive breakdown of changes is available on the PCI Security Standards Council s website: https://www.pcisecuritystandards.org/security_standards/documents.php?document=pci_dss_v2-0#pci_dss_v2-0. Printed in USA C11-641421-00 01/11 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback