Network Segmentation. June 30, 2015 12:00 Noon Eastern

Network Segmentation June 30, 2015 12:00 Noon Eastern

Agenda Presenters Housekeeping About Conexxus Network Segmentation Presetation Q& A

Presenters Carl Bayer (cbayer@conexxus.org) Program Manager Conexxus Kara Gunderson (kgunder@citgo.com) POS Manager Citgo Petroleum Corporation Mark Carl (mcarl@echosat.com) CEO EchoSat Communications Group, Inc.

2015 Conexxus Webinar Schedule* Month/Date Webinar Title Speaker Company June 30, 2015 Network Segmentation Mark Carl Echosat July Mobile Commerce Wesley Burress Don Friedman ExxonMobil P97 August Point 2Point Encryption P2PE TBD September Asset Tracking in PCI 3.0 TBD October NACS Show in Las Vegas No Webinar No Webinar November Open TBD December Conexxus Year end review TBD If you have a suggestion for a webinar, please contact Carl Bayer with Conexxus at cbayer@conexxus.org. * Update: June 9, 2015

About Conexxus We are an independent, non-profit, member driven technology organization We set standards Data exchange Security Mobile commerce We provide vision Identify emerging tech/trends We advocate for our industry Technology is policy

Future Events The NACS Show October 11-14, 2015 Las Vegas Convention Center Las Vegas, Nevada 2016 Conexxus Annual Conference May 1 5, 2016 Loews Ventana Canyon Resort Tucson, Arizona

Network Segmentation Limiting Your PCI-DSS Scope Mark Carl

Who The Heck Are You? CEO at EchoSat, Inc. Formerly EchoSat s CTO for 16 years Designed and developed EchoSat SPG Designed and developed PaySafe SPG managed firewall solution Provide gateway and technology for Heartland SmartLink Pro Servicing 20,000 petro merchants across many brands Securely delivering 12% of all petro transactions to the acquirers Level 1 PCI-DSS compliant service provider since 2008

Security Versus Compliance Who wins? Most large breaches occur within PCI-compliant networks PCI-DSS is not security, it s a minimum standard Will the card brands issue fines even if you re compliant? Absolutely. If you think they won t, just ask Target Conclusion: You need a security expert, not a compliance expert Managed service providers should provide both Service providers can transfer responsibility under PCI3 12.8 Make sure SOMEBODY is responsible Recognizing intrusion is as important as preventing it

Do I Have To Do This Myself? NO! Third Party Security Assurance (TPSA) is in your favor Defines Third Party Service Providers (TPSP s) Explains TPSP and merchant responsibilities Does NOT relieve merchant from PCI-DSS responsibility PCI-DSS 12.8.2 requires written agreements with TPSP s Merchants must acknowledge what s being provided

What does PCI-DSS say about network segmentation? Not a PCI-DSS requirement Used to reduce the assessment scope for PCI-DSS Can be physical or logical separation of components Must be assessed adequate by QSA, or transferred by service provider Isolates systems that store, process or transmit cardholder data This includes the devices that provide the isolation

No Separation Entire network is within PCI scope InterWebs Security WiF i Backoffice PO S

Physical Separation Limiting PCI-DSS scope physically InterWebs Security WiF i Backoffice PO S

Logical Separation Limiting PCI scope logically InterWebs Security WiF i Backoffice PO S

Why Do We Need to Segment? Meet Jim, Our Store Manager..

How Do Attackers Work? Find an initial entry point, using phishing, etc Gather and analyze information from the entry point Leverage and expand access from the breach point Use expanded access for mass financial gain

Where s the Threat? Actual threat. InterWebs Threat misconception. Security Jim s PC WiF i Backoffice PO S

Why is Jim Our Primary Threat? Jim gets an email that his Apple ID has expired, and clicks the link.. and Jim s PC is now under the control of a hacker InterWebs Hacker launches persistent aggressive attack against POS POS

How do we mitigate? We block Jim s PC from the POS. and permit only necessary traffic InterWebs Security Jim s PC WiF i Backoffice PO S

How do we mitigate? We monitor Jim s connections for viruses and malware and isolate the POS to the acquirer InterWebs Gateway/Acquirer Jim s PC PO S

Are We Done Now? We have to monitor, log and alert! Some examples NO! InterWebs Gateway/Acquirer Jim s PC Log attempts to the POS from Jim s PC, and alert someone about intrusion attempts. Log Log and and alert alert attempts any new from devices the POS to on connect the POS to segment anywhere that shouldn t besides be the there acquirer or other necessary destinations PO S

Why Log and Alert? Log, don t alert. Log, don t alert. Call 911. Gateway/Acquirer POS Vendor Updates Some Server in China PO S

What s On My POS Know and understand what s here, and why.. Segment? Vendor Zone Routers are PCI-DSS, not PA-DSS.. Covered By PA DSS POS Pinpad POS Pinpad EPS

Vendor Zone Routers May provide POS vendor back-door access to your CDE Likely provided by another third party Must meet rules of PCI-DSS 12.8.2 and TPSA Requires logging, monitoring and alerting Significantly impacts your CDE Vendor must transfer under TPSA and 12.8.2 Otherwise, you cannot meet 12.8.2 for your CDE InterWebs Vendor Support Vendor Zone Routers are PCI-DSS, not PA-DSS..

THANK YOU

Thank you for attending today s webinar: Network Segmentation If you found today s webinar valuable, please consider supporting Conexxus by becoming a member so we can continue to bring you new and relevant content. http://www.conexxus.org/content/membership Follow the link to learn more.