WHITE PAPER Simplify PCI Compliance An Affordable, Easy-to-Implement Approach Using Secure SD-WAN
For most retailers, the technology burden of maintaining PCI compliance can be overwhelming. Hundreds of pages of guidelines, standards and procedures and a confusing array of technology and vendor options paralyze retailers who are wrestling with businesscritical questions such as: How do I go about implementing PCI compliance? Is there an affordable strategy to achieve PCI compliance system-wide? Can I scale out PCI compliance to multiple sites without on-site IT resources? How do I sustain PCI compliance in a constantly evolving threat landscape? This primer will help you answer those questions without having to climb a mountain of regulations or become a security expert. PCI DSS: The Payment Card Industry Data Security Standard is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes. In an ironic application of the Pareto principle, while roughly 80% of breaches occur at the application level, 1, 2 80% of security spending is focused on the network. 3 Consequently, when someone asks us, Should I focus on application security or network security? we say, Yes. Essential enabling practices The scope of this document is to provide a roadmap to minimize the technical friction associated with PCI compliance and establish consistent security standards across the brand for cross-franchise adoption. The most important considerations when developing a security plan are: Partitioning the network end-to-end PCI standards advocate scoping the infrastructure to identify all components located within or connected to the card holder data (CHD) environment, and then reducing the scope through segmentation to isolate the CHD environment from the rest of the network. 4 This aspect of PCI leads to a focus on the network when you should actually address both the network and the applications. Why restrict partitioning to applications that use CHD, such as POS and loyalty programs? Every application should have access to only the data relevant for that application. Enable a pragmatic approach to PCI compliance through cloud-managed micro-segmentation, partitioning every app into its own virtual network to isolate it from other apps payment apps, loyalty apps, corporate apps, franchisee apps, IoT apps, etc. This approach, which we call virtual application networks (VANs), allows security policies to be enforced on a per-application basis, reducing the risk of lateral breach propagation across applications. SIMPLIFY PCI COMPLIANCE USING SECURE SD-WAN 2.
XANDR ALOHA APP 1 Wide Area Network with Segmentation APP 2 APP 3 APP 4 Customer Site 9909 0008 7700 9900 VINA Cybera's cloud-managed SD-WAN Virtual Application Network (VAN) allows security policies to be enforced on a per-application basis, reducing the risk of lateral breach propagation across applications. Encrypting data in flight and at rest Sensitive data appears at many points in your network, from a POS card scanner to mobile applications to payment information entered on a web page, transmitted through your network, and stored in various storage systems. As EMV (a technical standard for smart payment cards) gains wider adoption, counterfeit card fraud may be declining, but card-not-present fraud is surging. Every source, destination, and path of sensitive data must be secured. Managing user access to data Multi-factor authentication (MFA) safeguards data access through a variety of verification methods while satisfying the desire of users for simple logins. To ensure a scalable approach to policy configuration and enforcement across a multi-site deployment, a centralized cloudbased network solution should be employed that can automate consistent security standards, eliminate manual configuration errors and accelerate security updates across locations. Employing multi-layered security PCI standards recommend multiple security layers, including firewalls, encryption, malware protection, and antivirus protection. This defensein-depth strategy should be launched with granular security policies customized per application instead of applied to the entire network. Sustainable, affordable deployment Most retailers are looking for a sustainable PCI solution, i.e. an affordable, low-touch solution that achieves true application and network security. This is particularly important when securing networks prone to attack, such as those carrying card holder data (CHD). Low friction PCI compliance solutions free up retail IT budgets currently spent on maintenance, upgrades and integration for more strategic revenue initiatives that drive the customer experience. SIMPLIFY PCI COMPLIANCE USING SECURE SD-WAN 3.
Forward-thinking retailers who have few to no onsite IT staff and are seeking easy ways to enable PCI compliance for their networks are turning to secure, software-defined WAN (secure SD-WAN) solutions. Why is that? Secure SD-WAN solutions accelerate secure business operations across multi-site businesses. By consolidating many security and network functions, e.g. VPN, firewall, intrusion detection, MFA, in a simple device that can be installed by on-site retail personnel with no IT/security training, retailers avoid both the capital and operational expenses of costly and difficult to maintain multi-device network solutions. Cybera includes continuous network monitoring as an essential component of the managed secure SD-WAN service. With cloud-managed SD-WAN, security policies are configured and enforced centrally and can be automated to update all locations for a consistent, standardized security approach maximizing system-wide adoption. Security updates are also automated so all locations receive them quickly and remotely, achieving the fast response times critical in a constantly evolving threat landscape. And finally, the softwaredefined nature of the solution allows it to work on top of existing networks as a virtualized software layer, preserving existing network investments while optimizing application security and performance. Monitoring Monitoring is an important enabler for sustained PCI compliance. Cybera includes continuous network monitoring as an essential component of the managed secure SD-WAN service. When emerging or resurging threats are detected in one part of the network, a response can eliminate that threat, and updates can be proactively propagated to the full network. Scalability Implementing these defense strategies can be daunting when working with a traditional VPN, which is complex and labor intensive, and MPLS, which is costly and can take months to get up and running. These technologies can diminish time-to-market advantages and add unnecessary delays to your growth plans. The flexibility and scalability of a properly-designed SD-WAN simplifies and automates this process to extend enterprise-grade multi-layered security to the edge of the network without requiring on-site IT and security professionals. SIMPLIFY PCI COMPLIANCE USING SECURE SD-WAN 4.
Beyond checklist PCI compliance These elements come together to enable an affordable, secure, PCIcompliant infrastructure that your retail locations can deploy on their own broadband connections in minutes with absolutely no IT or security training. The benefits go beyond checklist PCI compliance solutions that may or may not be truly secure. The ease of use and high performance associated with an SD-WAN solution frees up time and dramatically reduces cost for franchisees/ owners to channel budget and time toward innovation where it matters, in the core business, with customer-experience-enhancing initiatives such as unified commerce, mobile payments, guest Wi-Fi, beacons, and other emerging technologies. And reduced TCO frees up the budget to pay for them. To learn more about how SD-WAN can optimize your IT investment while freeing up budget for innovation, read more about how you can Make Your WAN Pay For Your Omnichannel Strategy. PCI DSS at a Glance Goals Build and maintain a secure network and systems PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters CALL 1-866-4CYBERA EMAIL solutions@cybera.net Protect cardholder data Maintain a vulnerability management program 3. 4. 5. 6. Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Protect all systems against malware and regularly update antivirus software or programs Develop and maintain secure systems and applications VISIT www.cybera.com Cybera Inc. 9009 Carothers Parkway Suite C5 Franklin, TN 37067 Implement strong access control measures Regularly monitor and test networks Maintain an information security policy 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel 2017 Cybera, Inc. All rights reserved. Cybera is a registered trademark of Cybera. WP-0006-0217-01 1 Compliant vs. Secure panel, 2016 PCI Security Standards Council Conference, Las Vegas, NV 2 Verizon 2016 Data Breach Investigation Report 3 Ponemon July 2016 report Application Security in the Changing Risk Landscape 4 PCI Data Security Standard December 2016 SIMPLIFY PCI COMPLIANCE USING SECURE SD-WAN 5.