PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data



Similar documents
PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table

Cisco IOS Advanced Firewall

CISCO IOS NETWORK SECURITY (IINS)

Deploying Firewalls Throughout Your Organization

Implementing Cisco IOS Network Security

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

How To Achieve Pca Compliance With Redhat Enterprise Linux

Credit Card Secure Architecture for Interactive Voice Response (IVR) Applications

Implementing Cisco IOS Network Security v2.0 (IINS)

Achieving PCI-Compliance through Cyberoam

Managing Enterprise Security with Cisco Security Manager

Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI Data Security Standards (DSS)

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

The Cisco ASA 5500 as a Superior Firewall Solution

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

How To Secure Your Store Data With Fortinet

Best Practices for PCI DSS V3.0 Network Security Compliance

SSECMGT: CManaging Enterprise Security with Cisco Security Manager v4.x

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Josiah Wilkinson Internal Security Assessor. Nationwide

IINS Implementing Cisco Network Security 3.0 (IINS)

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

74% 96 Action Items. Compliance

Need to be PCI DSS compliant and reduce the risk of fraud?

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Conquering PCI DSS Compliance

Payment Card Industry Data Security Standard

Secure networks are crucial for IT systems and their

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Securing Virtual Applications and Servers

Achieving PCI Compliance Using F5 Products

Enforcing PCI Data Security Standard Compliance

How To Protect A Web Application From Attack From A Trusted Environment

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Cisco Certified Security Professional (CCSP)

GFI White Paper PCI-DSS compliance and GFI Software products

Chapter 1 The Principles of Auditing 1

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

How To Comply With The Pci Ds.S.A.S

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Cyberoam Perspective BFSI Security Guidelines. Overview

Did you know your security solution can help with PCI compliance too?

SonicWALL PCI 1.1 Implementation Guide

PCI Compliance Top 10 Questions and Answers

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Cisco ASA 5500 Series IPS Edition for the Enterprise

PCI Compliance. Top 10 Questions & Answers

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

CCNA Security 2.0 Scope and Sequence

Chapter 9 Firewalls and Intrusion Prevention Systems

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Cisco SR 520-T1 Secure Router

Cisco ASA 5500 Series Content Security Edition for the Enterprise

Thoughts on PCI DSS 3.0. September, 2014

Payment Card Industry Data Security Standards.

(d-5273) CCIE Security v3.0 Written Exam Topics

Cisco Advanced Services for Network Security

Improving PCI Compliance with Network Configuration Automation

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

University of Sunderland Business Assurance PCI Security Policy

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Managing Enterprise Security with Cisco Security Manager

How to Dramatically Reduce the Cost and Complexity of PCI Compliance

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

IPS AIM for Cisco Integrated Services Routers

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

Tim Bovles WILEY. Wiley Publishing, Inc.

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI v2.0 Compliance for Wireless LAN

Becoming PCI Compliant

PCI Compliance: Improve Payment Security

Best Practices for Outdoor Wireless Security

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

LogRhythm and PCI Compliance

Transcription:

White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and cost-effective business transactions. However, hundreds of millions of personally identifiable customer records have been breached in both high- and lowprofile attacks. Many of these instances have involved credit card information. As a result, there is increased pressure to comply with industry mandates and state and federal regulations, which have been created to enhance privacy, national security, and, in many cases, corporate accountability. Fines, penalties, and lawsuits are just some repercussions of what a company might face if a security breach occurs and the company is out of compliance at the time of the breach. The long-term effect of noncompliance is damage to the company's brand, or reputation, from which they sometimes never recover. The PCI Security Standard The Payment Card Industry Data Security Standard (PCI DSS) applies to all businesses, public and private, in any industry that processes, transmits, or stores credit card transactions and cardholder information. PCI DSS provides guidance for securing payment card data and includes a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information. Payment card brands such as Visa International, MasterCard Worldwide, Discover Financial Services, JSI, and American Express all require PCI compliance, and any company that fails to comply with the requirements risks stiff penalties. PCI DSS version 2.0 went into effect January 1, 2011. The lifecycle process for changes to the PCI DSS currently spans three years. During this timeframe, the PCI Council continuously evaluates evolving technology and threats, and, if necessary, may make mid-lifecycle changes to the standards or may provide ongoing supplemental guidance about these issues. The basic 12 requirements of the PCI guidelines have remained consistent. PCI Compliance and Cisco IOS Security for the Branch Cisco IOS security technology offers businesses the necessary tools to help avert a credit card data breach by applying security throughout the foundation of the network. Cisco IOS security is built into the router and switch infrastructure, providing unprecedented value to branch offices, where resources may be limited. Table 1 describes in detail how Cisco IOS security helps to meet PCI requirements. Table 1. How Cisco IOS Security Maps to PCI DSS Requirements PCI Requirement Install and maintain a firewall configuration to protect data. Do not use vendor-supplied defaults for system passwords and other security parameters. Cisco Technology Cisco IOS Firewall Cisco IOS Software 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 6

PCI Requirement Protect stored cardholder data. Encrypt transmission of cardholder data and sensitive information across public networks. Use and regularly update antivirus software. Develop and maintain secure systems and applications. Restrict access to data by business need. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a policy that addresses information security for employees and contractors. Cisco Technology Cisco VPN Advanced Integration Module (AIM) for Cisco Integrated Services Routers (ISRs) Cisco Product Security Incident Response Team (PSIRT) site tracks and publishes information about any relevant exposures and vulnerabilities in Cisco ISRs AAA with Cisco Secure Access Control Server (ACS) Cisco Secure ACS Cisco IOS Software and Cisco NetFlow Cisco IOS Intrusion Prevention System (IPS), IPS AIM With integrated firewall, VPN, and intrusion prevention and detection (IPS/IDS) capabilities, Cisco ISRs can securely scale to meet a business s PCI compliance requirements. The ISR s primary function is segmentation of PCI scope and then enforcement of that new scope boundary, and has five primary functions in relation to PCI. As a router, directing traffic between networks to segment a network into subnetworks and isolate sensitive information from non-sensitive information, thereby reducing the overall scope of the cardholder data environment. As a router with access control lists (ACLs), restricting traffic between the cardholder data environment and other areas of the network. As a stateful firewall, restricting traffic between the cardholder data environment and other areas of the network. As an intrusion prevention system, inspecting all traffic going to and from the cardholder data environment. As a VPN system, encrypting all traffic going to and from the store across open and public networks. Cisco IOS Zone-Based Policy Firewall The Cisco IOS Zone-Based Policy Firewall feature runs on Cisco ISRs, securing Internet connectivity and protecting mission-critical resources behind the router. This feature uses security zones to segment the network and protect cardholder data; zones are based on strict user or group policies that provide: Granular stateful inspection that tightly controls network service access and enforcement between and outside security zones. Classification of users, devices, or protocols into groups and then applying those groups to ACLs to create access control policies for those groups. VRF-aware firewall functions that provide virtual firewalls for isolated route space and overlapping addresses. IT administrators can create a set of fixed policies for the network and make sure that all devices and applications in a security zone adhere to PCI DSS rules (Figure 1). 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 6

Figure 1. Cisco IOS Zone-Based Policy Firewall Security Zones Cisco IOS Zone-Based Policy Firewall also performs stateful inspection, provides alerts, and monitors events using syslog. Cisco IOS Zone-Based Policy Firewall further enforces protocol conformance by inspecting and discarding protocols such as HTTP, Simple Mail Transfer Protocol (SMTP), peer-to-peer protocols, Session Initiation Protocol (SIP), and Skinny Client Control Protocol (SCCP), eliminating unwanted traffic and conserving bandwidth. It can automatically take the necessary steps to mitigate malicious activity coming from unauthorized access from inside or outside the network. Cisco IOS IPS Cisco IOS IPS is an inline, deep-packet-inspection-based solution that satisfies PCI DSS requirements through the deployment of endpoint security technologies and controls. This enables Cisco IOS Software to effectively analyze network traffic for malicious code and mitigate attacks. Using Cisco IOS IPS with Cisco IOS Firewall can provide an integrated solution that optimizes management and administration efficiencies. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, it is also critical to distribute a network-level defense to stop malicious traffic close to its entry point at branch or telecommuter offices. Cisco IOS IPS: Works with Cisco IOS Firewall, control-plane policing, and other Cisco IOS security features to protect the router and networks behind the router. Provides networkwide, distributed protection from numerous attacks, worms, and viruses that exploit vulnerabilities in operating systems and applications. Eliminates the need for a standalone IPS device in branch and telecommuter offices and in small and medium-sized business networks. 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 6

Figure 2. Segmented Store Topology Cisco IOS VPN According to PCI, public WAN link connections are considered untrusted public networks. A VPN is required to securely tunnel traffic between the store and the enterprise network. A Cisco ISR can be used to encrypt the transmission of cardholder data across open, public networks such as 3G/4G/Wi-Fi, and satellite technologies using SSL and IPSec technologies. The following example describes equipment located at the store and the data center headend router. Figure 3 shows a simplified Cisco IOS VPN topology. Figure 3. Cisco VPN Topology Cisco IOS VPN technology connects the stores to the data center over the Internet, using a secure, encrypted tunnel to secure sensitive information. Cisco VPN technologies that can protect the data in transit and provide a secure access to the stores' networks include EasyVPN and Dynamic Multipoint VPN (DMVPN). 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 6

Cisco Security Manager Cisco Security Manager is a powerful yet easy-to-use solution for configuring firewall, VPN, and IPS policies on Cisco security appliances, firewalls, routers, and switch modules. Cisco Security Manager helps enable enterprises to manage and scale security operations efficiently and accurately. Its end-to-end tools provide consistent policy enforcement, quick troubleshooting of security events, and summarized reports from across the security deployment. Cisco Security Manager supports integrated provisioning of firewall, IPS, and VPN (most site-to-site, remote access, and SSL) services across Cisco IOS Software-based routers such as Cisco Integrated Services Routers and Aggregation Services Routers. Cisco Secure Access Control Server A centralized user database (Active Directory) and Cisco Secure Access Control Server (ACS) TACACS services can be used to restrict access to cardholder data and assign a unique ID to each person with computer access. Individual user IDs are assigned, and roles are defined and based on group membership. Cisco routers are configured to use an AAA model for user-based access. Users can be assigned to groups and, based on privilege levels, have access to only the information they require for their job function. By default, no users are allowed access unless specifically configured and assigned appropriate passwords. Staying Compliant Cisco IOS security technologies help: Separate, divide, and isolate network traffic. The firewall is the center point inside the network and is critical for PCI compliance. A common firewall policy such as Cisco IOS Zone-Based Policy Firewall examines the source and destination zones from the ingress and egress interfaces. It is not necessary that all traffic flowing to or from an interface be inspected. Individual flows in a zone pair can be designated to be inspected using policy maps that may be applied across the zone pair. The policy map will contain class maps that specify the individual flows. Demonstrate compliance in the event of an attack or audit. An audit can be stressful for any IT administrator, and can be even more so when there is a possible security breach at the time of the audit. Cisco can provide tools that map to PCI requirements and that demonstrate and validate compliance. Combining best practices and extensive networking technology expertise, Cisco has developed a set of architectures in a lab environment with PCI requirements in mind. If properly deployed and maintained, these architectures can help achieve PCI compliance. Performance where it counts. Cisco integrated services routers are designed for fast, scalable delivery of business-critical applications. Cisco IOS Firewall provides protection and performance that is suited for small to medium-sized branch office deployments, particularly in commercial environments. This integrated solution is ideal for organizations seeking a cost-effective PCI compliance solution. 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 6

Conclusion Any organization that accepts, processes, or stores credit card information must comply with PCI standards. Cisco IOS security technologies can help ensure compliance: Cisco IOS Zone-Based Policy Firewall can define network security zones, prevent action on cardholder data being leaked outside of security zones, and apply policies to inspect and mitigate malware threats and unauthorized data access and transfers. Cisco IOS IPS effectively analyzes network traffic for malicious code and mitigates attacks. Cisco VPN encrypts sensitive cardholder data across the WAN. For More Information For more information about how Cisco can help you meet your PCI compliance needs, visit the following resources: http://www.cisco.com/go/routersecurity http://www.cisco.com/go/iosfw http://www.cisco.com/go/iosips http://www.cisco.com/go/csmanager http://www.cisco.com/go/pci http://www.cisco.com/go/pci2 For more information about the PCI Security Standards Council, visit https://www.pcisecuritystandards.org. Printed in USA C11-682532-00 08/11 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information