PCI Security Best Practices

Download Report

Transcript PCI Security Best Practices 

PCI Security Best
Practices
PCI Industry Updates
 Level 1 Merchants Deadline is Sept 30, 2007 (GLOBAL)
 Level 2 Merchants Deadline is Dec 30, 2007 (US)
 Impact of non-compliance = $25,000 - $100,000 per month fine and
reduced 1 level in Tier service =>increased clearinghouse fees
 Merchants achieving PCI compliance by Sept 30, 2008 AND showed
committed progress by Sept 30, 2007 will be eligible for 3 months
repayment of fines and service increases
 Acquiring Banks will be fined $25k for EVERY PCI non-compliant
client
 Universities are publicized for security breach incidents – including stolen
credit card information (http://www.attrition.org/dataloss)
 US States are now passing/proposing credit card security laws –
Minnesota, California, Connecticut, Illinois
PCI Compliance Validation
Level
Population
PCI DSS
Compliance
Validated
Initial
Validation
Submitted/
Remediating
Initial
Pending
Validation Commitment
in
Progress
1
327
44%
54%
2%
0%
2
729
38%
44%
18%
0%
3
2494
54%
20%
24%
2%
Level 1 merchants required to validate by 9/30/07
Level 2 merchants required to validate by 12/30/07
98% Level 1 and 2 merchants confirm they do not store prohibited data.
Source: Visa website
http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf?it=c|/merchants/risk_management/cisp_merchants.html|M
erchant%20PCI%20DSS%20Compliance%20Update
How To Apply Security
Best Practices to PCI
PCI Scope May Include More Network Areas Than
You Think
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
Book Stores
Box Office
Satellite campus
Any remote site that takes credit
cards on your network
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
On-line payments of Who has access to
any kind that go across cardholder
your network (classes, information on the
tickets, etc)
LAN? This is part
of PCI
DATA CENTER
Do you store card holder
data in your data center(s)?
Three Architecture Footprints
Small
Medium
Large
The PCI Data Security Standard
Build and Maintain a
Secure Network
Protect Cardholder Data
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
Implement Strong
Access Control Measures
7. Restrict access to data by business need-toknow
8. Assign a unique ID to each person with
computer access
9. Restrict physical access to cardholder data
Regularly Monitor and
Test Networks
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information
security
Requirement 1: Install and maintain a firewall
configuration to protect data
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
POS VLAN
POS Cash
Register
ACS
CSM
POS Server
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
6500/7600
FWSM
Card
VLAN
ASA
CSA
Credit card
storage
Data VLAN
Wireless
device
CSA
E-commerce
CSA
DATA CENTER
Requirement 2: Do not use vendor-supplied defaults for
system settings
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Requirement 3: Protect Stored Data
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Server
POS Cash
Register
Cisco
Security
Agent
CSM
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
CSA
E-commerce
CSA
Credit card
Storage
ASA
Wireless
device
6500/7600
FWSM
CSA
Disk
Encryption
DATA CENTER
Requirement 4: Encrypt transmission of cardholder data
across public networks
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Requirement 5: Use and Regularly update anti-virus
software
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
CSA
POS Cash
Register
CSM
POS Server
NAC
CSA
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
E-commerce
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
CSA
DATA CENTER
Requirement 6: Develop and maintain secure systems
and applications
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Requirement 7: Restrict access to data by business
need-to-know
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
CSA
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
E-commerce
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
CSA
DATA CENTER
Requirement 8: Assign a unique ID to each person with
computer access
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Requirement 9: Restrict Physical Access
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Requirement 10: Track and Monitor all access to network
and cardholder data
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
CSA
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Requirement 11: Regularly test security systems and
processes
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
CSA
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Requirement 12: Maintain a policy that addresses
information security
REMOTE LOCATION
Mobile
POS
INTERNET
EDGE
MAIN OFFICE
NETWORK MGMT CENTER
ACS
POS Cash
Register
CSM
POS Server
NAC
CSA
NCM/CAS
ASA
7200/7300
WAP
Catalyst
switch
CS-MARS
ASA
Internet
6500
switch
ISR
WAP
WAP
Store
Worker PC
CSA
Credit card
storage
ASA
Wireless
device
6500/7600
FWSM
CSA
E-commerce
CSA
DATA CENTER
Cisco Security Best Practices for PCI
REMOTE LOCATION

CSA
POS Terminal
INTERNET
EDGE
Cisco



 Security
Agent (CSA)
MAIN OFFICE


NAC



7300 router
WAP
1200
 switch
WAP
Store
Worker PC


Wireless
device
Requirement 1
Requirement 2
Requirement 3


Cisco Security
Management
CS-MARS
ASA 5500


ACS
POS Server



NETWORK MGMT CENTER

ASA
Internet

 
Integrated
Services
Router (ISR)

ASA

6500
switch
CSA



E-commerce
Requirement 4
Requirement 5
Requirement 6
Requirement 7
Requirement 8
Requirement 9


6500/7600
FWSM




CSA
Credit card
storage
CSA
DATA CENTER
Requirement 10
Requirement 11
Requirement 12
PCI -> HIPAA with the same Security Best
Practices….
Category 5
Category 2
Category 6
Category 3
Category 7
Category 4
Category 8
Data Center
Category 1
ePHI
Storage
Server
CSA
Clinic
6500
CSA
7300
3750
WAN
ISR
CS-MARS
CSM
ASA
ASA
CSA
ACS
CSA
CSD
NCM/CAS
NAC
Network
Management Center
Campus
CSA
Internet
Edge/DMZ
ISR
Remote Clinician