Keeping Up with PCI:



Similar documents
PCI DSS Requirements - Security Controls and Processes

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Data Security Standard

PCI v2.0 Compliance for Wireless LAN

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

PCI DSS 3.1 and the Impact on Wi-Fi Security

How To Protect Your Data From Being Stolen

Teleran PCI Customer Case Study

Becoming PCI Compliant

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

PCI Wireless Compliance with AirTight WIPS

New PCI Standards Enhance Security of Cardholder Data

Presented By: Bryan Miller CCIE, CISSP

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Achieving PCI-Compliance through Cyberoam

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Payment Card Industry (PCI) Data Security Standard

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

LogRhythm and PCI Compliance

Network Segmentation

PCI DSS v3.0 Vulnerability & Penetration Testing

VERIFONE ENHANCED ZONE ROUTER

Continuous compliance through good governance

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

SANS Top 20 Critical Controls for Effective Cyber Defense

Client Security Risk Assessment Questionnaire

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

GFI White Paper PCI-DSS compliance and GFI Software products

PCI Requirements Coverage Summary Table

Global Partner Management Notice

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

PCI Requirements Coverage Summary Table

Firewall Architecture Guide

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI DSS Reporting WHITEPAPER

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

E-Guide UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES

THE TOP 4 CONTROLS.

March

Josiah Wilkinson Internal Security Assessor. Nationwide

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

PCI Data Security Standards

Overcoming PCI Compliance Challenges

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Cisco Advanced Services for Network Security

PCI and PA DSS Compliance Assurance with LogRhythm

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

PICO Compliance Audit - A Quick Guide to Virtualization

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

This policy applies to all GPC units that process, transmit, or handle cardholder information in a physical or electronic format.

PCI Security Scan Procedures. Version 1.0 December 2004

SonicWALL PCI 1.1 Implementation Guide

Achieving Compliance with the PCI Data Security Standard

The New PCI Requirement: Application Firewall vs. Code Review

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Best Practices for PCI DSS V3.0 Network Security Compliance

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

The Comprehensive Guide to PCI Security Standards Compliance

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Franchise Data Compromise Trends and Cardholder. December, 2010

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

74% 96 Action Items. Compliance

Guideline on Auditing and Log Management

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

CREDIT CARD PROCESSING POLICY AND PROCEDURES

PCI DSS READINESS AND RESPONSE

Two Approaches to PCI-DSS Compliance

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Payment Card Industry (PCI) Compliance. Management Guidelines

A Rackspace White Paper Spring 2010

Payment Card Industry Compliance

Transcription:

Pocket E-Guide Keeping Up with PCI: Implementing Network Segmentation and Monitoring Security Controls Payment Card Industry Data Security Standards (PCI DSS) requirements specify that the security controls you implement must be monitored and tested. This includes specifications for logging, monitoring and penetration testing. In this expert e-guide, get tips on establishing a process for logging activity and tying records to users, and three main requirements for testing security controls. Also, find out how to implement PCI network segmentation and how it may ease PCI compliance for your organization. Sponsored By:

Table of Contents Pocket E-Guide Keeping Up with PCI: Implementing Network Segmentation and Monitoring Security Controls Table of Contents: PCI DSS requirement: Monitoring and testing security How to implement PCI network segmentation Resources from SonicWALL Sponsored by: Page 2 of 7

PCI DSS requirements: Monitoring and testing security PCI DSS requirement: Monitoring and testing security Mike Chapple In addition to requirements specifying the security controls you apply to the systems and networks handling credit card transactions, the Payment Card Industry Data Security Standard (PCI DSS) also requires that you regularly monitor and test those controls. This includes specifications for logging, monitoring and penetration testing. ACTIVITY LOGGING One of the most burdensome requirements of PCI DSS is the requirement that you establish a process for logging a great deal of activity, tying activity records to individual users and storing those logs for future reference. Organizations approaching PCI DSS for the first time typically find large gaps between their current practices in this area and the PCI DSS requirements. For example, the standard requires that you log: All access to cardholder data All actions taken by an administrator All access to logs All invalid login attempts All identification and authentication mechanisms All creations or deletions of system-level objects That's a lot of activity. For each of those events, you need to store: User name Event type Timestamp Success/failure status Origination of event Identity of affected system/resource/data And, to top it all off, you need to retain this data for at least a year, with three months available immediately for online access. You'll also need to take steps to limit log access to those with a legitimate business need, back up your log entries to a centralized server and synchronize your system clocks to ensure consistent timestamps. Sponsored by: Page 3 of 7

PCI DSS requirements: Monitoring and testing security MONITORING SECURITY It's not sufficient to simply store voluminous log records: you also must review those logs on at least a daily basis to identify any suspicious activity. PCI requires that you perform these daily reviews for any logs of security-related systems along with authentication, authorization and accounting servers. This is where automation is your friend. It's virtually impossible to perform these reviews without the assistance of log monitoring tools (at the very least) or a security incident monitoring (SIM) system at best. In addition to monitoring your logs, PCI DSS requires that you place intrusion detection and/or prevention systems on your network in position(s) where they can monitor all traffic within your cardholder data environment. The IDS/IPS must be configured to alert security personnel to any suspicious traffic and to receive regular signature updates. It's a good idea to configure these systems to alert whenever they detect cleartext credit card numbers on the network. You can do this by using credit card regular expressions. Finally, you must deploy file integrity monitoring software on your systems to identify any unauthorized modifications of critical files on at least a weekly basis. The most well-known solution in this space is the Tripwire file integrity monitoring software, but you also may wish to investigate alternatives, such as Solidcore. TESTING SECURITY CONTROLS PCI DSS requires that you conduct regular testing of your security controls as well. There are three main requirements in this area: You must scan your airspace for any rogue wireless access points using a wireless analyzer at least quarterly. Alternatively, you may deploy a wireless IDS/IPS that is capable of detecting unauthorized wireless devices and alerting security personnel to their presence. You must conduct both internal and external vulnerability scans on at least a quarterly basis and after any significant network change. The quarterly external scans must be conducted by an Approved Scanning Vendor while the other scans may be performed by your staff. You must perform both internal and external penetration testing annually or after any significant change to infrastructure or applications. It's usually a good idea (although not a requirement) that you use an external vendor for these tests to ensure impartiality and have a fresh set of eyes reviewing your security controls. Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated." Sponsored by: Page 4 of 7

VS SONICWALL SPIRALING TCO NO CONTEST Tired of wasting IT budget deploying and managing so called best-of-breed network security and data protection solutions? If three-fourths of your budget is going toward the maintenance of these solutions, then your total cost of ownership (TCO) is spiraling out of control. But there s a smarter alternative SonicWALL s high-performance network security, email security, and data protection solutions. SonicWALL is committed to improving performance and productivity by engineering the cost out of building and running secure networks. SonicWALL solutions strategically reduce the cost of acquisition, deployment, and management, providing you higher-performance protection at a lower TCO. See how at www.sonicwall.com/lowtco NETWORK SECURITY SECURE REMOTE ACCESS WEB AND E-MAIL SECURITY BACKUP AND RECOVERY POLICY AND MANAGEMENT 2009 SonicWALL, Inc. SonicWALL and the SonicWALL logo are registered trademarks of SonicWALL, Inc.

How to implement PCI network segmentation How to implement PCI network segmentation EXPERT RESPONSE FROM: Mike Chapple, featured expert I'm writing a standard for my company that addresses network segmentation and qualifies as PCI DSS compliant. I need qualified resources that reference on this topic; there are plenty of comments and talk on this subject but not much documented practice. Can you point me in the right direction for solid guidance on enterprise network segmentation? PCI network segmentation is a common approach to reducing the scope (and therefore the complexity) of card-processing networks. It follows the commonly used strategy of minimization: Store as little sensitive data in as few locations as possible and allow access to those who absolutely need it. When it comes to PCI DSS compliance, organizations commonly use network segmentation to wall off payment systems' credit card processing from the rest of their network, therefore placing the rest of that network outside the scope of the assessment. For example, consider a retail store that has a point-of-sale (PoS) network that handles credit card systems, as well as a back-office network consisting of 20 productivity workstations. The store can limit the scope of an assessment for PCI by using a firewall to place the card-processing systems on a network that is completely isolated from the productivity workstations. In this case, where a firewall is separating two networks with different switch fabrics, you've clearly achieved isolation. Other situations are a little more gray. For example, some assessors may consider the use of VLAN separation adequate for PCI DSS segmentation, but many (myself included) do not consider this adequate due to the fact that a single switch port misconfiguration could defeat the segmentation. As far as documentation, page 5 of the PCI DSS Requirements and Security Assessment Procedures is the authoritative reference on the topic. Like most standards, it provides a high-level goal while still offering flexibility in implementation.the relevant section reads: "At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may be implemented." Sponsored by: Page 6 of 7

Resources from SonicWALL Resources from SonicWALL Achieving PCI DSS Compliance Through Security, Reliability and Consistent Policy Control How to Accelerate PCI Compliance PCI DSS Ambiguities and How to Overcome Them About SonicWALL: SonicWALL is committed to improving the performance and productivity of businesses of all sizes by engineering the cost and complexity out of running a secure network. Over one million SonicWALL appliances keep tens of millions of worldwide business computer users safe and in control of their data. SonicWALL's award-winning solutions include network security, secure remote access, content security, backup and recovery, and policy and management technology. For more information, visit the company web site at http://www.sonicwall.com. Sponsored by: Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information