Credit Card Secure Architecture for Interactive Voice Response (IVR) Applications



Similar documents
PCI Requirements Coverage Summary Table

Enforcing PCI Data Security Standard Compliance

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

PCI Requirements Coverage Summary Table

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Achieving PCI-Compliance through Cyberoam

PCI v2.0 Compliance for Wireless LAN

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

Josiah Wilkinson Internal Security Assessor. Nationwide

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DATA SECURITY STANDARD OVERVIEW

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

How To Achieve Pca Compliance With Redhat Enterprise Linux

74% 96 Action Items. Compliance

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

Network Segmentation

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

LogRhythm and PCI Compliance

Becoming PCI Compliant

You Can Survive a PCI-DSS Assessment

SonicWALL PCI 1.1 Implementation Guide

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

How Reflection Software Facilitates PCI DSS Compliance

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI COMPLIANCE GUIDE For Merchants and Service Members

Automate PCI Compliance Monitoring, Investigation & Reporting

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Project Title slide Project: PCI. Are You At Risk?

Payment Card Industry Self-Assessment Questionnaire

GFI White Paper PCI-DSS compliance and GFI Software products

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Managing Enterprise Security with Cisco Security Manager

How To Protect Your Data From Being Stolen

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

SSECMGT: CManaging Enterprise Security with Cisco Security Manager v4.x

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

March

Teleran PCI Customer Case Study

How To Comply With The Pci Ds.S.A.S

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Achieving PCI Compliance Using F5 Products

Presented By: Bryan Miller CCIE, CISSP

The Bomgar Appliance in the Network

Improving PCI Compliance with Network Configuration Automation

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance Top 10 Questions and Answers

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

(d-5273) CCIE Security v3.0 Written Exam Topics

PCI and PA DSS Compliance Assurance with LogRhythm

PCI DSS: Beating the Cardholder Data Blues

CONTENTS. PCI DSS Compliance Guide

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Payment Card Industry Data Security Standard

A Rackspace White Paper Spring 2010

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

Oracle Solaris 11 and PCI DSS Meeting PCI DSS Compliance with Oracle Solaris 11

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Payment Card Industry Data Security Standards.

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI Compliance. Top 10 Questions & Answers

PCI DSS Requirements - Security Controls and Processes

Managing Enterprise Security with Cisco Security Manager

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Vendor Questionnaire

PCI Compliance Training

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Transcription:

Credit Card Secure Architecture for Interactive Voice Response (IVR) Applications What You Will Learn This whitepaper describes how to meet the Payment Card Industry Data Security Standard (PCI DSS) for securing credit card information while using the Cisco Unified Customer Voice Portal (CVP). Cisco CVP is an interactive voice response (IVR) product with a unique architecture that lends itself to safe, secure deployment for applications taking credit cards for payment or verification. This document describes the architecture for a Cisco Unified CVP deployment that provides a recommended architecture for credit card safety and security. Cisco Unified CVP may be used in self-service applications that involve the verbal or electronic entering of credit card information as part of a credit card approval transaction. The security of this credit information needs to be considered as part of any PCI-compliant implementation. This document looks at Cisco Unified CVP in the context of a secure architecture design for PCI. It discusses how Cisco Unified CVP would be deployed in that model and how its components would map to the components of the PCI standard. Cisco PCI design guides are available at http://www.cisco.com/en/us/docs/solutions/verticals/pci_retail/pci_retail_dig.html What is the Payment Card Industry (PCI) Data Security Standard (DSS)? The Payment Card Industry (PCI) Data Security Standard (DSS) applies to all businesses, large and small, in any industry, that process, transmit, or store credit card transactions and cardholder information. The goal of the PCI DSS is to increase protection of credit card information and related transactions. Any product that processes, stores, or transmits cardholder data falls under PCI DSS and is subject to a PCI audit. PCI DSS includes a set of data security requirements as outlined in Table 1. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 5

Table 1. Addressing PCI DSS Requirements Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Cisco offers numerous technology solutions and advanced services to help companies address their PCI DSS requirements. Because PCI covers many parts of the network, no single product or technology meets all of the PCI technology requirements. Cisco PCI solutions address many of the 12 PCI DSS requirements. They go beyond just the requirements for example, with newer technologies such as virtualization and provide comprehensive best practices for securing sensitive information. Cisco PCI solutions can strengthen a company s overall security posture and help customers satisfy their PCI DSS requirements in a cost-effective and efficient manner. PCI DSS is applicable to a self-service IVR that is accepting credit card transactions. The merchant (that is, the owner/host of the self-service IVR system) is responsible for getting audited to achieve PCI compliance. Cisco Unified CVP Architecture The network plays a critical role in achieving PCI Compliance. PCI requirements can be broken down into the 2 key areas: 1) Addressing security requirements through technology (firewalls, etc.); and 2) Establishing and maintaining business policies. Because Cisco Unified Customer Voice Portal (CVP) is a network-based IVR architecture, credit card security can be achieved via Cisco Technology Solutions. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 5

Figure 1. Cisco Technology Solutions Overview Cisco Unified Customer Voice Portal (CVP) resides within the Cisco Secure Network Infrastructure, and uses these infrastructure components to provide voice ingress as well as security. The following are the Cisco Secure Network Infrastructure components: Cisco Integrated Services Router (ISR) runs stateful firewall, as well as intrusion detection system (IDS) and segmentation between payment, wireless, data, and WAN. ISR router connects systems to central authentication, authorization, and accounting (AAA), Domain Name System (DNS), Network Time Protocol (NTP), and Lightweight Directory Access Protocol LDAP) services. Cisco Catalyst switches segment payment systems from other network systems. Applying PCI DSS Standard to Cisco Unified CVP Deployment The following table lists Cisco Solution and Unified CVP products and technologies that help to address PCI requirements. Table 2. PCI Requirements to Cisco Solution Mapping Solution Feature PCI Value Cisco Unified CVP Implication Requirement 1: Install and maintain a firewall configuration to protect cardholder data Cisco Firewall Services Module (FWSM), Cisco ASA 5500 Series Adaptive Security Appliances Network security (firewall segmentation/filtering), stateful filtering Install Cisco Unified CVP in the protected cardholder data environment. CiscoWorks LAN Management Solution (LMS) and Network Compliance Manager (NCM), Cisco Security Manager Configuration management/secure configurations Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Cisco Unified CVP Server Default passwords changeable Non console encrypted administrative access Change passwords on Cisco Unified CVP servers, use AAA for administrative access. Requirement 3: Protect stored cardholder data Cisco Unified CVP Protect the data by only storing it where necessary, and only transmitting it in an encrypted form Cisco Unified CVP applications should be written to not store sensitive information at all, and encryption points (VPN) should be used when transmitting data out of the secure data center. Logging of Cisco Unified CVP application data should also be disabled. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 5

Solution Feature PCI Value Cisco Unified CVP Implication Requirement 4: Encrypt transmission of cardholder data across open, public networks Cisco Unified CVP Data protection Use VPN when transmitting data out of the data center. This may be implemented by putting a secure VPN-enabled device between the Cisco Unified CVP Server and the egress to the payment network. Requirement 5: Use and regularly update anti-virus software or programs Third-party anti-virus Anti-virus protection, malware/spyware protection, alerting Anti-virus is recommended for all Windowsbased. Requirement 6: Develop and maintain secure systems and applications Cisco Unified CVP Server Capable of being patched and updated Cisco releases Cisco Unified CVP security patches on http://www.cisco.com. Requirement 7: Restrict access to cardholder data on a business need-to-know basis Least-privilege, role-based access Use AAA and Active Directory to provide rolebased authentications. Cisco Unified CVP Operations, Administration, Maintenance, and Provisioning (OAMP) servers also support rolebased access. Requirement 8: Assign a unique ID to each person with computer access ISRs, Cisco 7200 VXR Series Routers, Cisco FWSM, Cisco ASA 5500 Series, switches, wireless controllers, CiscoWorks (LMS), Cisco Security Monitoring, Analysis, and Response System (CS-MARS), Cisco Secure Access Control Server (CS-ACS), Cisco Wireless Control System (WCS), RSA applications and NRC Advanced Checkout Solution (NCR- ACS), ISRs, Cisco 7200 VXR Routers, Cisco FWSM, Cisco ASA 5500 Series, switches, wireless controllers, CSA Manager, Cisco Security Manager, CiscoWorks (LMS), CS-MARS, CS- ACS, WCS, RSA applications and NCR-ACS, ISRs, Cisco 7200 VXR Routers, Cisco FWSM, Cisco ASA 5500 Series, switches, wireless controllers, CSA Manager, Cisco Security Manager, CiscoWorks (LMS), CS-MARS, CS- ACS, WCS, RSA applications and NCR-ACS, Unique user IDs, authenticated access, encrypted passwords, no group/shared IDs/passwords Password strength requirements Account lockout requirements Cisco Unified CVP provides these features. Cisco Unified CVP supports password strength requirements. Cisco Unified CVP provides account lockout capabilities. Requirements 9: Restrict physical access to cardholder data All servers and database storage Physical access requirement Cisco video surveillance and monitoring systems can be implemented to meet this requirement. Requirement 10: Track and monitor all access to network resources and cardholder data ISRs, Cisco 7200 VXR Routers, switches, wireless devices, WCS, CS-ACS, CiscoWorks (LMS), RSA applications, NCR Applications, Audit trails, time synchronization Cisco Unified CVP supports audit trails and time synchronization. CiscoWorks (LMS and NCM) Centrally archive audit log records Cisco Unified CVP audit logs can be centrally stored away from the Cisco Unified CVP Server. Requirement 11: Regularly test security systems and processes Cisco Integrated Services Routers, Cisco ASA 5500 Series, Cisco Intrusion Prevention System (IPS) Sensor, Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) (sensor), Cisco Security Manager (policy, signature updates a part of the Cisco Unified CVP environment) Network IDS Networking best practice. Requirement 12: Maintain a policy that addresses information security for employees and contractors Cisco Advanced Services can help with the creation of this policy. Creation and maintenance of security policy Cisco Unified CVP deployment implementation and operation should be factored into your overall security policy. 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 5

Conclusion This document describes Cisco Unified Customer Voice Portal (CVP) in the context of a PCI deployment. Intended as a summary of Cisco s PCI best practices, it is not a standalone document that covers PCI architectures in general. Cisco Validated Designs are a critical element of Cisco s PCI solution portfolio. Built and tested in Cisco labs, these designs have been evaluated by a PCI QSA, who then provided a report on compliance (ROC) outlining how each solution addresses PCI DSS technology requirements. The Cisco Validated Designs for PCI can be downloaded from http://www.cisco.com/go/pci. The independent ROCs for Cisco s PCI solutions are also available for viewing at this address. At this time, the PCI audit of the Cisco Unified CVP solution is pending. Cisco also offers Cisco Payment Card Industry Compliance Services. These services help network directors, security managers, and directors who process payment card transactions achieve and maintain PCI compliance by identifying and remediating compliance gaps. Each enterprise network deployment is unique. For detailed architectures and security discussions, please contact your Cisco account team. For More Information For more information on Cisco PCI solutions, please visit http://www.cisco.com/go/pci, or http://www.cisco.com/go/retail. More information about PCI DSS compliance and standards is available at: https://www.pcisecuritystandards.org/ Printed in USA C11-604236-00 05/10 2010 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information