VERIFONE ENHANCED ZONE ROUTER

Transcription

1 VERIFONE ENHANCED ZONE ROUTER Security, remote management, and network connectivity offering more solutions for your c-store.

2 SUMMARY The Verifone Enhanced Router is designed for customers to implement a fully PCI DSS compliant solution and replaces the network security appliance previously supplied with Sapphire and Commander Petro products. Like the previous Verifone solution, the Enhanced Zone Router completely supports a single POS installation and is easily expandable to support additional devices. Time synchronization is maintained via NTP through the remote management connection for consistent event log timestamps. The Enhanced Zone Router is a managed service appliance that provides the following features: Port forwarding Intrusion Detection AES encryption X.509 certificates DER, PEM formats Dynamic IP address end-points Multiple subnet capability PCI DSS compliant Remote Helpdesk support utilizing 2- factor authentication The Enhanced Zone Router is a key security component for the overall POS architecture. BENEFITS The Enhanced Zone Router meets PCI 3.x requirements for remote multi-factor authentication (MFA) and provides segmentation of the POS LAN from the customer LAN to help reduce the scope of PCI DSS assessments. In situations where the site has no broadband access, the Enhanced Zone Router features a basic configuration User Interface only accessible within the POS LAN. 2 2

3 While maintaining the segmentation functions, the User Interface can also be used to configure IP addressing for installations that do not use DHCP configuration. This UI does not support console-level administrative functions like data inspection, port replication, etc. Remote management of the Enhanced Zone Router allows scalable solutions to meet specific customer requirements. The previous solution required changes through a software configuration utility. Because the Enhanced Zone Router is remotely managed, only the minimum allowable connectivity into and out of the POS LAN is enabled. As a remotely managed device the Enhanced Zone Router is kept updated with required security patches. The Verifone Enhanced Zone Router solution provides RFC5424 compliant logs which can be directed to a customer provided endpoint [SIEM]. Enhanced Zone Router configuration changes are logged and monitored. Using the site s broadband services, the Enhanced Zone Router establishes a secure connection for device management to Verifone s selected device management provider. It is pre-configured and supports DHCP to eliminate setting up port forwarding, and static IP addresses. With the Enhanced Zone Router in place, Verifone helpdesk traffic is controlled entirely by access to the Enhanced Zone Router datacenter endpoint. RSA Multi-factor authentication is configured per help desk agent to the managed network ensuring only authorized helpdesk personnel can access a site. No Verifone personnel have privileged access to the Enhanced Zone Router. Supplemental controls such as complex workstation passwords and session time outs enhance the security solution. THE SOLUTION Verifone has chosen industry leading network providers to deliver the new Enhanced Zone Router. The solution includes remote security and device patch management. With multimegabit throughput, the platform provides an extensible architecture designed to accommodate needs of today and for the future. 3 3

4 TODAY S DELIVERABLE In today s complex security environment, the Enhanced Zone Router provides an end to end, scalable managed and secure PCI compliant solution. PCI DSS v3.1 is challenging all Merchants with higher security standards. Verifone s Support Services fall within a merchant s PCI DSS requirements for third party service providers who interact with the cardholder data environment. As such Verifone seeks to enable the merchant s ability to meet these standards through the implementation of our Secure Remote Help Desk Services. Through a hardened methodology of securing connectivity with 2 factor authentication, access control of authorized agents, diligence in monitoring and alerting and working closely with a PCI qualified security Assessor (QSA) to provide documented evidence against applicable security requirements, Verifone provides its customers with a level of confidence not found in the industry. 4 4

5 VERIFONE PETRO SECURE REMOTE ACCESS SUPPORT 5 5

6 FACILITATING PCI COMPLIANT HELP DESK CONNECTION Petro Help Desk Agents with soft token Lan VFI Corp Domain VFI PCI Domain 2-Factor Login IPSEC/VPN Tunnel IPSEC/VPN Tunnel Secure Network Cloud Windows Terminal Server Bastion Host RSA Auth Request Secure connection management appliances RSA Admin Server w/ Tokens Verifone Logrhythm SIEM Managed through a custodial chain of command methodology, access to the secure network is either granted or revoked via use of an RSA MFA system. Each authorized Verifone Help Desk agent will be assigned a unique username and 2 factor soft token to authenticate with a Verifone Windows Terminal Server. Upon successful authentication, an IPsec VPN tunnel is established into the secure cloud. Terminal Server sessions help to insulate the customer network from Verifone s network. As an additional measure of security, each Help Desk Agent must be granted local store network access to the Verifone Commander via a software toggle located on the POS inside the store. 6 6

7 Once access is granted a Help Desk Agent will only be allowed to access Verifone POS devices for support and troubleshooting. No Verifone access is granted to the EZR or any other networking appliance on the store LAN; thus eliminating the ability to alter network configuration. Petro Help Desk Agents with soft token Lan VFI Corp Domain VFI PCI Domain 2-Factor Login IPSEC/VPN Tunnel Windows Terminal Server Bastion Host RSA Auth Request RSA Admin Server w/ Tokens Verifone Logrhythm SIEM In addition to access control security, Verifone has implemented access control logging, monitoring and alerting. Sessions are monitored from the start of the initial Terminal Server connection through disconnection from the secure network. PCI DSS compliant log data is processed and stored in Verifone s LogRhythm SIEM server. This data is analyzed in real-time and provides the security team the ability to alert and quickly act on any suspicious activity. All of the access and management servers are housed in a PCI compliant data center to further harden the security of the system. 7 7

8 FAQ 1. How do we perform our annual vulnerability and penetration tests as required by PCI? The Verifone Enhanced Zone Router is a network access device. With change management processes defined and implemented, execution of vulnerability and/or penetration tests can be accomplished. 2. How do I, as the merchant, monitor, log and audit the Verifone Zone Router for PCI DSS compliance? Utilizing industry-compliant RFC 5424 logging, the required information can be directed to a customer-provided endpoint [SIEM.] 3. Does the Enhanced Zone Router use a generic account for access and support? All access to generic accounts has been disabled. Only Verifone s authorized Petro client support organization has access to the secured network via the Verifone Zone Router. This scope is limited to only users assigned to support the client merchant environment and requires RSA 2-factor authentication to access the merchant network. 4. How are user accounts managed? User access governance is managed by RSA identity management system. This system is housed within Verifone s data center and managed in accordance to PCI-DSS requirements. 5. Does anyone with POS software programming capabilities have access to the Verifone Zone Router? No. For Tier 3 support purposes any developer needing access will be overseen by an authorized Petro client support organization representative to resolve customer issues. 8 8

9 6. Does a VASC/Technician have the ability to change, open/close ports on the Verifone Zone Router? A limited configuration functionality may be made available for a VASC. At install the initial registration and configuration are stored in the secure cloud. Any deltas post-install are tracked hourly and trigger alerts to security support for appropriate incident response procedures Verifone, Inc. All rights reserved. Verifone and the Verifone logo are either trademarks or registered trademarks of Verifone in the United States and/or other countries. All other trademarks or brand names are the properties of their respective holders. All features and specifications are subject to change without notice. Reproduction or posting of this document without prior Verifone approval is prohibited. 9 9