PCI DSS 3.1 and the Impact on Wi-Fi Security



Similar documents
PCI Wireless Compliance with AirTight WIPS

Don t Let Wireless Detour Your PCI Compliance

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Closing Wireless Loopholes for PCI Compliance and Security

PCI v2.0 Compliance for Wireless LAN

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Becoming PCI Compliant

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Compliance 3.1. About Us

How To Protect Your Data From Being Stolen

New PCI Standards Enhance Security of Cardholder Data

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Requirements Coverage Summary Table

Windows 7 Virtual Wi-Fi: The Easiest Way to Install a Rogue AP on Your Corporate Network

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Overcoming PCI Compliance Challenges

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI Requirements Coverage Summary Table

Cisco Unified Wireless Network Solution Positioning for the New PCI DSS Wireless Guideline

Achieving Compliance with the PCI Data Security Standard

Wireless (In)Security Trends in the Enterprise

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

Best Practices for PCI DSS V3.0 Network Security Compliance

Thoughts on PCI DSS 3.0. September, 2014

Continuous compliance through good governance

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Case Study: Fast Food Security Breach (Multiple Locations)

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI DSS v3.0 Vulnerability & Penetration Testing

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

A Rackspace White Paper Spring 2010

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Payment Card Industry Data Security Standard

March

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Network Segmentation

PCI DSS Requirements - Security Controls and Processes

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Technology Innovation Programme

SecurityMetrics Vision whitepaper

Keeping Up with PCI:

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

A PCI Journey with Wichita State University

Achieving PCI-Compliance through Cyberoam

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

How To Secure Your Store Data With Fortinet

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

PCI Data Security Standards

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Why Is Compliance with PCI DSS Important?

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

PCI Compliance. Top 10 Questions & Answers

PCI DSS Top 10 Reports March 2011

PCI Compliance Top 10 Questions and Answers

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

<COMPANY> P01 - Information Security Policy

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Application Delivery in PCI DSS Compliant Environments

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Transcription:

PCI DSS 3.1 and the Impact on Wi-Fi Security 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2015 AirTight Networks, Inc. All rights reserved.

Table of Contents PCI DSS 3.1 and the Impact on Wi-Fi Security 3 PCI DSS 3.1 Requirement 11.1 PCI DSS 3.1 Requirement 2.4 PCI DSS 3.1 Requirement 9.9 PCI DSS 3.1 Requirement 10.6 PCI DSS 3.1 Update 3 4 4 5 5 PCI Security Best Practices 6 Go Beyond the Check Mark 7 2015 AirTight Networks, Inc. All rights reserved. 2

PCI DSS 3.1 and the Impact on Wi-Fi Security Given the complexities of satisfying PCI data security and compliance and on-going high profile retail data breaches, the PCI Security Council determined that additional guidance was needed to provide retailers with more clarity into the intent and scope of several of the PCI data security requirements. With the latest revision of PCI DSS v3.1, the PCI Security Council emphasized implementing security into business as usual activities and best practices for maintaining on-going PCI compliance. Specific guidance was provided for many requirements to make sure that the PCI audit is not the focal point of security initiatives but rather that merchants are building security process into their daily operation. One such example is PCI Requirement 11.1 requiring merchants to test for the presence of rogue wireless devices in the cardholder data environment (CDE). PCI DSS v3.1 provides additional clarification around PCI Requirement 11 and its sub requirements, including 11.1. In prior versions of the PCI DSS, Requirement 11.1 broadly and simply required merchants to conduct a quarterly scan of the network to identify rogue wireless access points in the CDE. Additional guidance provided in PCI DSS v2.0 suggested that merchants can satisfy this requirement using a visual inspection of the network, which in many cases turned this requirement from an active security initiative into merely a compliance checkmark, leaving networks and sensitive data vulnerable to attack. Making matters worse, many merchants falsely believe that simply turning off Wi-Fi and scoping it out of their cardholder data environments exempts them from having to conduct regular vulnerability scanning for unauthorized wireless on the network. According to the Verizon 2015 Data Breach Report, organizations continue to struggle with PCI Requirement 11. Verizon reported last year that among organizations that met 95% of the PCI DSS controls, more than half failed Requirement 11. Meanwhile, compliance with sub-requirement 11.1 fell 10% from a year earlier, with Verizon noting that organizations often fail this control because they falsely believe that they don t need to scan for rogue wireless access points if they have chosen not to use in-scope wireless networks. PCI DSS 3.1 Requirement 11.1 provides additional guidance around the methods used for rogue Wi-Fi scanning based on the size and complexity of the environment. PCI v3.1 emphasizes that security is a continual process, not a snapshot in time compliance checkmark. The updated PCI standards specifically call out the difference between a small kiosk environment where a visual inspection for a rogue AP may be adequate to meet the intent of the requirement vs a large retail environment where perhaps there are enough locations or the size of each location is such that visual inspection is not adequate. In this case, for medium to large retail organizations performing continuous rogue AP scanning with a strong WIPS is more appropriate to meet the intent of the 11.1 requirement, not just a quarterly or visual inspection. 2015 AirTight Networks, Inc. All rights reserved. 3

In the case of visual inspections, in many cases the merchant may be asking an employee (GM, manager, regional manager) to look around the environment to see what s different. But these employees are not trained to identify malicious devices. APs have gotten so small and have been designed to blend in with their environment, frequently making them difficult to detect. Visual inspection in a small and controlled environment may be viable, but in a retail stores where multiple ports/connections to the network are available, automated scanning is the only way to ensure 24X7 security. AirTight s WIPS is the best in class for satisfying rogue wireless compliance. AirTight can detect unauthorized (rogue) devices on the networks within seconds of them becoming active and isolate and deactivate these devices from the network until they can be physically removed. The AirTight WIPS solution can also disassociate users or devices that may have associated with the rogue in error and steer these devices back to their proper network. PCI DSS 3.1 Requirement 2.4 adds clarity for maintaining an inventory of system components that are in scope for PCI. In order to accurately and efficiently define the scope of their networks for PCI compliance, it is recommended that retailers maintain an inventory of system components that make up the CDE. By identifying the key systems in the CDE, the merchant can assure that essential systems are protected and properly segmented for optimal security. AirTight s WIPS automatically inventories and classifies all wireless assets in the merchant s network, including approved wireless access points and mobile client devices. This greatly simplifies mandatory inventory methods so you are not maintaining an inventory of mobile devices in a spreadsheet and can help define the scope for the PCI audit. PCI 3.1 Requirement 9.9 protects POS terminals and devices from tampering or substitution. It s important that mobile devices in the CDE associate to the wireless network specific to its location. If you are deploying mobile devices for store associates (including mobile POS) AirTight can automatically distinguish those from neighboring clients and access points in your airspace that are not sensitive devices a critical feature when it comes to PCI and security compliance. AirTight s WIPS will maintain an inventory of your client devices and alert you when one of those devices goes missing or when a hacker tries to lure an approved device onto an unsecure Wi-Fi network where they can grab sensitive data from it. AirTight s WIPS provides automatic alerts when a mobile POS device is lost or stolen. This is done by identifying when a device is no longer on the network for a defined period of time. For instance, if a mobile POS gets regular software or application updates overnight, if a device is absent for over an hour, AirTight alerts security and IT personal so that access to that network and CDE can quickly be revoked to eliminate potential security vulnerabilities before a catastrophic incident can occur. 2015 AirTight Networks, Inc. All rights reserved. 4

PCI DSS 3.1 Requirement 10.6 clarifies the intent and scope of the daily log review. Daily log reviews have been very tedious for merchants. PCI clarified that the focus should be on suspicious activity in the environment and actionable events and data from monitoring systems. AirTight s WIPS provides highly accurate alerts and is not prone to the high numbers of false positive and negatives usually associated with other WIPS solutions, allowing administrators to focus on actionable events without having to sift through all the noise that logs can accumulate. This applies to rogue AP incidents and alerts on client devices that are lost or stolen. AirTight can also integrate with log correlation tools in place to monitor web and ecommerce environments and back end transaction processing servers. PCI DSS 3.1 designates SSL as insufficient for data security. In April 2015, the PCI Security Standards Council (PCI SSC) published a revision to the PCI Data Security Standard. PCI DSS Version 3.1 addresses vulnerabilities within the Secure Sockets Layer (SSL) encryption protocol that can put payment data at risk. The Council had determined that SSL v3.1 is no longer acceptable for data security due to inherent weaknesses in SSL protocol. Merchants are now required to implement Transport Layer Security (TLS) to ensure the networks are secure. With respect to transactions over wireless networks, all Wi-Fi devices in the CDE must be protected with strong encryption per PCI Requirement 4.1.1 - use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission. AirTight WIPS automatically detects open (non-encrypted) networks and is equipped to block these vulnerable connections before sensitive data is compromised. 2015 AirTight Networks, Inc. All rights reserved. 5

PCI Security Best Practices 1. Limit the scope of your PCI audit through network segmentation. The golden rule is to limit the scope of your PCI audit to the card holder environment (CDE). This ensures that any network or device that does not interact with card holder data is firewalled from the systems that transmit, store or process cardholder data. Doing this will really limit the effort required to demonstrate PCI compliance. Networks and devices that are appropriately segmented from CDE will not be in scope for your PCI audit. With AirTight, devices outside of the cardholder data environment networks can be identified non-cde, which further reduces the scope of the audit. 2. Develop security as continual process. With the updates to PCI DSS v3.1 there are changes to the language around implementing security in a business as usual process as opposed to a point in time audit. On-going vulnerability scanning of your cardholder data environment is critical to maintaining a strong security posture and identifying any unforeseen vulnerabilities after changes and maintenance to the network infrastructure and supporting clients. 3. Use strong wireless encryption and authentication. This holds true for any wireless that touches the CDE, especially mobile POS which would include WPA2 encryption and strong authentication and encryption on the wireless network. This not only protects the retail network infrastructure, it also protects the client devices as well. Make sure that the client devices are hardened and secure so they can t be stolen and sensitive data cannot be taken off those devices. 4. Use IDS/IPS to monitor traffic in the CDE. If you are thinking about adding mobile POS to your retail operations, that now falls within the scope of your PCI audit. Thus, it becomes important for wireless IDS/IPS to monitor that traffic as well. 5. Implement an incident response plan. Simply document the plan you will go through when an incident is found. Having your process documented and ready to go will help you minimize ad hoc reactions to specific incidents. 6. Establish and maintain a strong relationship with your auditor. Maintain the same audit company and team year over year if possible, as this reduces time and effort to familiarize the auditor with your environment which will ultimately reduce the audit expense and ease the process for your internal staff. Organizations can then focus on remediating gaps and assessing new systems and environment that changes from year to year rather than bringing a new auditor up to speed on their environment. 2015 AirTight Networks, Inc. All rights reserved. 6

Protecting Your Brand is Important. Go Beyond the Check Mark Wi-Fi services are table stakes in retail operations for both in store staff and guests. AirTight customers can get secure Wi-Fi access and best of breed security in one network infrastructure without the expense of an overlay security solution. AirTight s WIPS goes beyond the PCI compliance checkmark to ensure that your sensitive payment card data is secure from wireless secure breaches. AirTight automates PCI wireless compliance scanning and reporting of rogue APs and other wireless threats that can put your data at risk. Automated threat containment ensures your network and data are secure at all times. AirTight s PCI scanning and remediation solutions offer a radically less expensive alternative to any competitive options available today. Walking around with a wireless analyzer for conducting scans is a time-consuming process, limited in scope, cannot scale for large premises and is cost prohibitive for multiple sites. AirTight is a convenient, comprehensive, and cost-effective solution for protecting sensitive payment card data and maintaining a strong PCI compliance posture. The AirTight solution includes: Automated 24x7 intrusion detection and rogue AP scanning Ability to maintain an up-to-date wireless device inventory (recommended by the PCI SSC) Automatic blocking of rogue APs and other wireless threats or hack attacks Highly accurate wireless threat and compliance violation alerts via email Location tracking capabilities identify the physical location of threat posing Wi-Fi devices Scheduled and on-demand PCI report generation and delivery to your inbox AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com info@airtightnetworks.com 2015 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight is a registered trademarks of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice. Secure Cloud-Managed Wi-Fi

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information