Give Vendors Access to the Data They Need NOT Access to Your Network

Size: px
Start display at page:

Download "Give Vendors Access to the Data They Need NOT Access to Your Network"

Transcription

1 Give Vendors Access to the Data They Need NOT Access to Your Network Acumera AirGap Architecture By the year 2020 just five years from now it is estimated that 25 billion devices will be connected to the Internet of Things. While each of these Things transmits valuable data and information that can help businesses reduce costs, improve operations and enhance marketing programs, they also introduce new security challenges to the C-store environment. One important Thing found in many C-Stores is an Automated Tank Gauge (ATG). It gathers and provides operational data such as inventory levels to enable better, more accurate business and operational decisions. Another important Thing that provides key operational functions are the Point of Sale (POS) systems. In order for vendors and stakeholders to access and utilize the data generated by the devices and equipment in C-stores, these Things need to be connected to the Internet. Once the devices are connected, vendors can remotely manage their devices and gather the information they need to do their jobs. However, giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By 2020, as many as 25 billion devices will be connected to the Internet of Things. Even large, highly sophisticated retailers have proven vulnerable to breaches associated with connecting devices to the Internet of Things. One of the important things many of the highest profile network security breaches have in common is that intruders gained access to the retailers networks through security holes in their vendors networks. According to KrebsOnSecurity.com, some of the largest retail breaches over the past year started with a hacked vendor. In several cases, thieves used a vendor s username and password to enter the network and remotely access the company s point-of-sale devices, opening the door to the theft of credit card numbers and other personal information from millions of customers. Even though many of the retailers were certified to be compliant with the Payment Card Industry Data Security Standard (PCI DSS), they were not immune to this type of threat. So, how can this type of vulnerability be mitigated? Giving vendors access to devices that are connected to a C-store s network can quickly open the door to malicious activity. By: Tom Yemington, Vice President of Sales and Marketing Be PCI Compliant AND Be Secure It is important to understand that PCI compliance is only part of the security equation. The PCI Data Security Standard provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents. Unfortunately, because threats are continuously evolving and compliance is evaluated periodically, not

2 Use network segmentation to isolate the part of your network that contains cardholder data so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in your network. continuously, compliance doesn t necessarily equate to security. PCI Compliance PCI compliance is evaluated on an annual basis with different levels of requirements according to the volume of credit card transactions processed by a merchant each year. However, a vulnerability scan or PCI DSS assessment is only a snapshot in time. Security efforts are non-stop and must get stronger every day, which is why PCI DSS compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. Network Security Best Practices Beyond rigorously maintaining PCI compliance, Acumera recommends C-stores follow network security best practices to protect themselves against security breaches, including: 1. AGGRESSIVELY SEGMENT YOUR NETWORK Many merchants are already aware of the benefits of segmentation, or putting different components in different network segments. As a baseline, isolate the part of a network that contains cardholder data and put it in a separate network segment so that even if other areas of the network are compromised, it does not impact the security of the cardholder data in the network. In light of the recent, highly publicized network breaches that exposed millions of people s credit card data, one large regional C-store operator now has a network segment for each vendor. There is even a segment named HVAC in each of their stores. Network segmentation can be achieved through a number of means, such as properly configured internal network firewalls, routers with strong access control lists, segmenting networks switches, or other technologies that restrict access to a particular segment of a network. Many merchants have been reluctant to segment their in-store networks because of a belief that segmentation is difficult, complex, or expensive, but there are many simple, cost-effective options available today. 2. CONDUCT EXTENSIVE PENETRATION TESTING Internal and external penetration testing is required for all merchants, regardless of size, according to the PCI DSS. The objective of penetration testing is to identify areas of potential weakness in an environment by simulating the methods performed by an attacker. Don t just do the minimum of testing penetration from the outside or inter-segment penetration: come up with new and creative ingress paths to test such as trying to penetrate sensitive data from a user account that is specifically denied access to that data. Because penetration testing is a manual process, it can be expensive, especially if there are many different or non-standard store configurations to be penetration-tested. So, the new pen-test requirement is a big motivation for merchants to do something that is a good idea anyway - to standardize the configuration across multiple stores. This requirement, as well as the recent highly publicized breaches of networks that Conduct penetration testing on your network before someone else does.

3 did not employ good segmentation and isolation techniques, is motivating progressive merchants not only to segment their networks, but also to eliminate as many persistent connections to vendors as possible. 3. DEVELOP AND MAINTAIN CONSISTENT POLICIES AND PROCEDURES It is important that security practices and policies be developed and maintained throughout the year, not just for the purposes of PCI compliance. Continuously maintain dataflow diagrams and network inventories to ensure no part of an environment is overlooked to become a breach vector, especially as changes are made over time. Create specific access rules and user guidelines to prevent outside personnel from unintentionally becoming the source of a breach. Keep internal users informed about potential threats and trends, such as social hacks, which leverage impersonation or manipulation tactics to gain access. Implementing a disciplined system of change-management that tracks modification of devices, connections and users strengthens and preserves the integrity of information security. 4. USE TWO-FACTOR AUTHENTICATION AND REQUIRE YOUR VENDORS TO USE TWO-FACTOR AUTHENTICATION According to the Verizon 2014 Data Breach Investigations Report, Stronger passwords would cut out a huge chunk of the problem, but larger organizations should also consider multiple factors to authenticate third-party and internal users. The use of two-factor authentication has two primary benefits. First, brute-force password guessing and dictionary attacks (looking for simple passwords that are in list of passwords stolen in previous breaches) are increasingly common. Second, two-factor authentication reduces the threat posed by phishing and social hacks (where a user is tricked into disclosing their credentials) because second factor techniques depend on something you have such as a mobile phone or authentication token that isn t easily stolen, replicated, or transferable even if a password has been electronically stolen. 5. DE-VALUE YOUR DATA Encrypting data reduces the value of your data to cyber-criminals. If they can t sell it, they are less likely to want to steal it. Section 3 and 4 of the PCI:DSS give clear requirements regarding using encryption to protect stored and transmitted cardholder data. Why not apply these same standards to other sensitive or proprietary data? Use the strongest encryption methods available to encrypt data Have and enforce robust policy procedures for cryptographic key access and management 6. LIMIT NETWORK ACCESS GRANTED TO VENDORS AND SERVICE PROVIDERS It is important to keep in mind that your network security is only as strong as your weakest measure. Your company carefully selects vendors and service providers to maximize the value those partners provide. In today s environment it would be nearly impossible to develop all hardware and services in house. QUICK REFERENCE: Network Security Best Practices 1. Aggressively segment your network 2. Conduct extensive penetration testing 3. Develop and maintain consistent policies and procedures 4. Use two-factor authentication and require your vendors to use two-factor authentication 5. De-value your data 6. Limit network access granted to vendors and service providers

4 Imagine running a large C-store chain with no accounting system, fuel inventory management system, or POS hardware and support. Even if you have mostly internal/proprietary systems, vendors and stakeholders are going to be most valuable when they have access to- and can get the data generated by- the devices and equipment in C-stores; these Things need to be connected to the Internet. But, you can t possibly manage your vendor s security or their adherence to the best practices outlined above unless you strictly reduce their access to unnecessary parts of your network. Isolate Your Store Network In network security, an air gap is the idea that a secure network is most safe from attack when it is physically separate and isolated from unsecure networks. Having absolutely no connection is the maximum level of protection between two or more systems. Essentially, an air gap creates a closed system for highly sensitive information or equipment, so that it is completely inaccessible to outside threats. Military and government systems and networks with sensitive data are often airgapped. Other examples include: financial and banking systems, such as stock exchanges, nuclear power plant controls, computerized medical equipment, and flight and aircraft control systems. Minimize third-party access One of the major benefits of creating an air gap in a network is to prevent direct network access by outside sources that may be trusted to do business with a company, but are not necessarily trustworthy when it comes to network security. Many third-party vendors aren t required to follow the same stringent security policies as retailers because, on the surface, they aren t dealing directly with sensitive information, such as credit card or social security numbers. However, if a vendor has direct access to any device that is operating on your network, your network (and the sensitive information on it) can become vulnerable to an attack made on that vendor. Ask all of your vendors about their security and compliance practices to get a better understanding of the potential risks to your network. Avoid Persistent Connections Another benefit of creating an isolated network is that it limits the threat surface that must be monitored for attacks and intrusion. A persistent connection to your network creates a larger and quite likely un-knowable scope for attack. In addition, persistent connections leave the door open to potential intruders around the clock. By enabling and allowing access only when it is required you are reducing the time during which the network is vulnerable to attack. Questions to Ask Your Vendors and Service Providers Are your services PCI DSS compliant? What do you do to protect your systems from malware and other security breaches? How often do you check your systems for malicious activity? Do you access my infrastructure over the network connections that you use for other C-store operators/ competitors? Is it necessary to have a persistent connection to my sites to provide systems support/ business intelligence? What are you doing to limit the time of support or data transfer connections? What are you doing to validate that only authorized employees from your company are accessing my data or my systems? Are you using strong passwords and two-factor authentication, and logging support and access events? Do you really need access to my network at all, or do you just need data from the site?

5 The Acumera AirGap Architecture The more isolated a network is the more secure it is. On the other hand, the more isolated a network, the less useful the data and Things connected to it. In practice, a completely air-gapped solution is impractical so Acumera developed a highly secure system for providing access to data while virtually eliminating persistent access. The Acumera AirGap Architecture provides the benefits of an isolated network while getting vendors and service providers the data and access they need to help you run your business. PDI WEX Telapoint Intellifuel POS MG 'Things' Stores Internet Acumera AirGap Architecture: How It Works The Acumera AirGap Architecture enables in-store devices to communicate and share data with analysts, operations professionals and third-party service providers, without giving third-parties access to the store s network. Instead, valuable information from devices, such as automatic tank gauges, is collected and sent to a secure location in the cloud, where it can then be picked up, used and stored by the vendor. Unlike the traditional model, the Acumera AirGap Architecture does not create a linear, persistent connection between in-store devices and third parties, keeping the store network and sensitive customer information (such as cardholder data) isolated from potential breaches. This highly secure design reduces the scope of requirements for PCI compliance and mitigates the threat of C-stores falling victim to the types of breaches that are affecting major retail chains today. Convenience stores can give vendors access to the data they need and reap the benefits of being connected to the Internet of Things, without sacrificing network security and customer information. The Acumera AirGap Architecture Minimizes Persistent Connections Acumera uses the AirGap architecture for our own management systems. Acumera has no persistent access to the Acumera Merchant Gateways (MGs) at our customer sites, inverting the typical network monitoring model for enhanced security and reliability. Frequently, network monitoring tools use SNMP, ping, or some other tool to centrally check remote network device status, which creates network traffic and potential vulnerabilities. So, Acumera flips the flow of site data so that the site initiates contact. The Acumera MG frequently checks the status of connected site systems and pushes site status

6 to secure cloud storage. The site status and enterprise reports can be displayed in a browser without any direct connection to the site. Only when Acumera s network operations group needs to check an Acumera MG or upgrade MG firmware does Acumera make a direct, limited time connection to the Acumera MG. The access and changes are logged in a PCI compliant fashion, and access is terminated when the support or upgrade is complete. Acumera s Acumera Apps for Your Network services and Acumera management tools can help satisfy PCI DSS control with respect to minimizing persistent connections: Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity Secure Networks AcuVigil Dashboard Visibility and Management Merchant Gateway Reliable Operational Data Apps for Your Network Services Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use When it is absolutely necessary to allow vendors direct access to store networks, such as when a POS vendor needs to access a POS to provide updates or support, Acumera Apps for Your Network services and Acumera management tools have controls that require administrators to actively grant access. To reduce and minimize the vulnerability, access is automatically cut off after a specific time period and access must be re-granted. Summary From maintaining PCI compliance to keeping up with best practices, such as segmentation, penetration testing and security policies and procedures, there s a lot to consider when it comes to network security. It is important not to overlook the role that vendors and service providers play in your security equation. Protect your business by avoiding the use of persistent connections and isolating your network from vendor access. In the end, you will not only preserve your reputation, you will keep your customers data safe from harm s way. About Acumera Founded in 2002, Acumera provides Trusted Connection Services to multisite merchants, specializing in the reduction of headaches caused by network management and security issues. Customers are free to focus on running their businesses because Acumera actively manages their networks and provides unparalleled visibility and remote management capability. Acumera gets customers stores, network clients and devices securely connected and keeps them connected. In addition to network status, merchants have real-time insight into key operational measures, such as fuel inventory levels and environmental and food safety temperatures. As a result, Acumera customers say they love their network. Further Reading Verifone Data Breach Investigations Report Payment Card Industry Digital Security Standard (Version 3.0)

7 Critical Services for Convenience Stores Broadband Qualification, Provisioning & Support Secure Network Development & Management Network/Device Monitoring & Alert Messaging Apps for C-store Operations (ATG, Temperature Monitoring, etc.) Virtual Private Network Management PCI Tools & Support Whitepapers Available from Acumera Improving C-Store Operations with Network Automation A New Era of Security in Convenience Stores Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network Improving Store Support and Revenue with Proactive Support Methodology Business Considerations for Leveraging Wi-Fi at C-Stores Technicial Considerations for Implementing Wi-Fi in C-Stores Getting Your C-Store Connected Improving Network Uptime PCI-DSS Compliance Support Our goal is to reduce the headaches our customers experience maintaining their Payment Card Industry Data Security Standard (PCI DSS) compliance. To that end, we are constantly improving our systems and services to provide the most secure networks and to support our customers compliance audits. Acumera is a fully PCI compliant service provider, which means we have taken the steps to complete our own PCI compliance assessment and obtain an annual Report on Compliance (ROC). Acumera is fully compliant with ALL applicable requirements and controls. Uniquely, we won t promote that our compliance will ensure our customers compliance because it can t. There is no 3rd party service that completely removes merchant responsibility for PCI DSS compliance. Tom Yemington Vice President of Sales and Marketing Nick Franco Senior Director of Sales (512) Dennis Jensen Senior Director of Sales (952)

Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network

Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network Advantages and Benefits of Running PDI/Enterprise on an Acumera Managed Network Overview This white paper, based on a technology interview with PDI, presents some of the key technical and operation advantages

More information

Improving Network Uptime

Improving Network Uptime Improving Network Uptime Protecting transactions, critical data transfers, and/or operational visibility from outages Convenience stores sell various combinations of food, fuel and groceries, but the most

More information

PCI Compliance: Protection Against Data Breaches

PCI Compliance: Protection Against Data Breaches Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)

More information

Getting your C-Store Connected

Getting your C-Store Connected Getting your C-Store Connected Understanding uptime performance and return on broadband investments Operating multiple convenience stores across a geographically disperse area presents many challenges.

More information

NACS/PCATS WeCare Data Security Program Overview

NACS/PCATS WeCare Data Security Program Overview NACS/PCATS WeCare Data Security Program Overview March 27, 2012 Abstract This document describes the WeCare Program, discusses common data security threats, outlines an 8-point plan to improve data security,

More information

New PCI Standards Enhance Security of Cardholder Data

New PCI Standards Enhance Security of Cardholder Data December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target

More information

Franchise Data Compromise Trends and Cardholder. December, 2010

Franchise Data Compromise Trends and Cardholder. December, 2010 Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

PCI Solution for Retail: Addressing Compliance and Security Best Practices

PCI Solution for Retail: Addressing Compliance and Security Best Practices PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment

More information

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales The Cost of Cybercrime Sony $171m PlayStation 3 data breach (April 2011) $3 trillion

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Conquering PCI DSS Compliance

Conquering PCI DSS Compliance Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

Is the PCI Data Security Standard Enough?

Is the PCI Data Security Standard Enough? Is the PCI Data Security Standard Enough? By: Christina M. Freeman ICTN 6870 Advanced Network Security Abstract: This paper will present the researched facts on Payment Card Industry Data Security Standard

More information

PCI Compliance in Multi-Site Retail Environments

PCI Compliance in Multi-Site Retail Environments TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help

More information

Securing Remote Vendor Access with Privileged Account Security

Securing Remote Vendor Access with Privileged Account Security Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials

More information

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER WHITE PAPER CHALLENGES Protecting company systems and data from costly hacker intrusions Finding tools and training to affordably and effectively enhance IT security Building More Secure Companies (and

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

SecurityMetrics Vision whitepaper

SecurityMetrics Vision whitepaper SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,

More information

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com

Maintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity.

Redhawk Network Security, LLC 62958 Layton Ave., Suite One, Bend, OR 97701 sales@redhawksecurity.com 866-605- 6328 www.redhawksecurity. Planning Guide for Penetration Testing John Pelley, CISSP, ISSAP, MBCI Long seen as a Payment Card Industry (PCI) best practice, penetration testing has become a requirement for PCI 3.1 effective July

More information

Case Study: Fast Food Security Breach (Multiple Locations)

Case Study: Fast Food Security Breach (Multiple Locations) CASE STUDY Fast Food Security Breach (Multiple Locations) Case Study: Fast Food Security Breach (Multiple Locations) By Brad Cyprus, SSCP - Senior Security Architect, Netsurion Details Profile Case Study

More information

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks 4 Best Practices for Building PCI DSS Compliant Networks Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers

More information

SECURING YOUR REMOTE DESKTOP CONNECTION

SECURING YOUR REMOTE DESKTOP CONNECTION White Paper SECURING YOUR REMOTE DESKTOP CONNECTION HOW TO PROPERLY SECURE REMOTE ACCESS 2015 SecurityMetrics SECURING YOUR REMOTE DESKTOP CONNECTION 1 SECURING YOUR REMOTE DESKTOP CONNECTION HOW TO PROPERLY

More information

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security. Retail Security: Enabling Retail Business Innovation with Threat-Centric Security. 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco public information. (1110R) 1 In the past

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary

More information

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Seven Things To Consider When Evaluating Privileged Account Security Solutions Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?

More information

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard The Impact of Wireless LAN Technology on to the PCI Data Security Standard 339 N. Bernardo Avenue, Suite 200 Mountain View, CA 94043 www.airtightnetworks.net Wireless LANs and PCI Retailers today use computers

More information

Security Management. Keeping the IT Security Administrator Busy

Security Management. Keeping the IT Security Administrator Busy Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching

More information

PCI DSS 3.1 and the Impact on Wi-Fi Security

PCI DSS 3.1 and the Impact on Wi-Fi Security PCI DSS 3.1 and the Impact on Wi-Fi Security 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2015 AirTight Networks, Inc. All rights reserved. Table of Contents PCI

More information

Overcoming PCI Compliance Challenges

Overcoming PCI Compliance Challenges Overcoming PCI Compliance Challenges Randy Rosenbaum - Security Services Exec. Alert Logic, CPISM Brian Anderson - Product Manager, Security Services, SunGard AS www.sungardas.com Goal: Understand the

More information

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, 2015. One Connection - A World of Opportunities One Connection - A World of Opportunities Security Tiffany Trent-Abram VP, Global Product Management November 6 th, 2015 2015 TNS Inc. All Rights Reserved. Bringing Global Credibility and History TNS Specializes

More information

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda 2010 Finance & Business Operations Symposium (FBOS) PCI Compliance Cort M. Kane COO, designdata Judy Durham CFO, NPES Kymberly Bonzelaar, Sr. VP Capital One Richard Eggleston, Sr. Project Director, TMAR

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

A Simple Guide to Successful. Penetration Testing

A Simple Guide to Successful. Penetration Testing A Simple Guide to Successful Penetration Testing Table of Contents Penetration Testing, Simplified. Scanning is Not Testing. Test Well. Test Often. Pen Test to Avoid a Mess. Six-phase Methodology. A Few

More information

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. Payment Card Industry Data Security Standard Training Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc. March 27, 2012 Agenda Check-In 9:00-9:30 PCI Intro and History

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

DataStealth and your PCI-DSS audit

DataStealth and your PCI-DSS audit Because Intruders Cannot Steal What Is Not There DataStealth and your PCI-DSS audit Datex Inc. 2333 North Sheridan Way Suite 200 Mississauga ON L5K 1A7 +1-855-55-DATEX www.datexdatastealth.com Executive

More information

Five PCI Security Deficiencies of Retail Merchants and Restaurants

Five PCI Security Deficiencies of Retail Merchants and Restaurants Whitepaper January 2010 Five PCI Security Deficiencies of Retail Merchants and Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations by Brad Cyprus, SSCP - Senior Security Architect,

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

The PCI Dilemma. COPYRIGHT 2009. TecForte

The PCI Dilemma. COPYRIGHT 2009. TecForte The PCI Dilemma Today, all service providers and retailers that process, store or transmit cardholder data have a legislated responsibility to protect that data. As such, they must comply with a diverse

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

PCI Self-Assessment: PCI DSS 3.0

PCI Self-Assessment: PCI DSS 3.0 PCI Self-Assessment: PCI DSS 3.0 Achieving PCI DSS 3.0 Compliance with our PCI Self-Assessment tool (Author: Heinrich Van Der Westhuizen, Director) Requirement PCI DSS update Purpose/need Addressed 1 Have

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

Application Security in the Software Development Lifecycle

Application Security in the Software Development Lifecycle Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO

More information

Five PCI Security Deficiencies of Restaurants

Five PCI Security Deficiencies of Restaurants Whitepaper The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus- Senior Security Architect, Vendor Safe 2011 7324 Southwest Freeway, Suite 1700, Houston, TX 77074

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

I D C A N A L Y S T C O N N E C T I O N

I D C A N A L Y S T C O N N E C T I O N I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM)

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements

Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Securing Wireless Networks for PCI Compliance Using Fortinet s Secure WLAN Solution to Meet Regulatory Requirements Introduction In the wake of many well-documented data breaches, standards such as the

More information

Presented by Evan Sylvester, CISSP

Presented by Evan Sylvester, CISSP Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

05.118 Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013 05.118 Credit Card Acceptance Policy Authority: Vice Chancellor of Business Affairs History: Effective July 1, 2011 Updated February 2013 Source of Authority: Office of State Controller (OSC); Office of

More information

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com

PCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in

More information

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure. Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security

More information

What is Penetration Testing?

What is Penetration Testing? White Paper What is Penetration Testing? An Introduction for IT Managers What Is Penetration Testing? Penetration testing is the process of identifying security gaps in your IT infrastructure by mimicking

More information

Five PCI Security Deficiencies of Restaurants

Five PCI Security Deficiencies of Restaurants WHITE PAPER Five PCI Security Deficiencies of Restaurants Five PCI Security Deficiencies of Restaurants The Most Common PCI Compliance Mistakes of Brick-and-Mortar Locations By Bradley K. Cyprus - Chief

More information

Miami University. Payment Card Data Security Policy

Miami University. Payment Card Data Security Policy Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

More information

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are

More information

Target Security Breach

Target Security Breach Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected

More information

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009 Top Five Data Security Trends Impacting Franchise Operators Payment System Risk September 29, 2009 Top Five Data Security Trends Agenda Data Security Environment Compromise Overview and Attack Methods

More information

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Payment Security White Paper Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance Breaches happen across all industries as thieves look for vulnerabilities.

More information

FIVE PRACTICAL STEPS

FIVE PRACTICAL STEPS WHITEPAPER FIVE PRACTICAL STEPS To Protecting Your Organization Against Breach How Security Intelligence & Reducing Information Risk Play Strategic Roles in Driving Your Business CEOs, CIOs, CTOs, AND

More information

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00 PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)

More information

DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA

DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

MITIGATING SECURITY RISKS AT THE NETWORK S EDGE

MITIGATING SECURITY RISKS AT THE NETWORK S EDGE MITIGATING SECURITY RISKS AT THE NETWORK S EDGE Best Practices for Distributed Enterprises Every year, the public relations specialists from at least one bluechip company invariably find themselves working

More information

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...

More information

Data Security for the Hospitality

Data Security for the Hospitality M&T Bank and SecurityMetrics Present: Data Security for the Hospitality Industry Featuring Lee Pierce, SecurityMetricsStrategicStrategic Accounts Dave Ellis, SecurityMetrics Forensic Investigator Doug

More information

You Can Survive a PCI-DSS Assessment

You Can Survive a PCI-DSS Assessment WHITE PAPER You Can Survive a PCI-DSS Assessment A QSA Primer on Best Practices for Overcoming Challenges and Achieving Compliance The Payment Card Industry Data Security Standard or PCI-DSS ensures the

More information

Welcome to the Protecting Your Identity. Training Module

Welcome to the Protecting Your Identity. Training Module Welcome to the Training Module 1 Introduction Does loss of control over your online identities bother you? 2 Objective By the end of this module, you will be able to: Identify the challenges in protecting

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

Closing Wireless Loopholes for PCI Compliance and Security

Closing Wireless Loopholes for PCI Compliance and Security Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

How to complete the Secure Internet Site Declaration (SISD) form

How to complete the Secure Internet Site Declaration (SISD) form 1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,

More information

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is 1 2 This slide shows the areas where TCG is developing standards. Each image corresponds to a TCG work group. In order to understand Trusted Network Connect, it s best to look at it in context with the

More information

Time Is Not On Our Side!

Time Is Not On Our Side! An audit sets the baseline. Restricting The next steps Authenticating help prevent, Tracking detect, and User Access? respond. It is rare for a few days to pass without news of a security breach affecting

More information