PCI Security Best Practices
advertisement
PCI Security Best Practices PCI Industry Updates Level 1 Merchants Deadline is Sept 30, 2007 (GLOBAL) Level 2 Merchants Deadline is Dec 30, 2007 (US) Impact of non-compliance = $25,000 - $100,000 per month fine and reduced 1 level in Tier service =>increased clearinghouse fees Merchants achieving PCI compliance by Sept 30, 2008 AND showed committed progress by Sept 30, 2007 will be eligible for 3 months repayment of fines and service increases Acquiring Banks will be fined $25k for EVERY PCI non-compliant client Universities are publicized for security breach incidents – including stolen credit card information (http://www.attrition.org/dataloss) US States are now passing/proposing credit card security laws – Minnesota, California, Connecticut, Illinois PCI Compliance Validation Level Population PCI DSS Compliance Validated Initial Validation Submitted/ Remediating Initial Pending Validation Commitment in Progress 1 327 44% 54% 2% 0% 2 729 38% 44% 18% 0% 3 2494 54% 20% 24% 2% Level 1 merchants required to validate by 9/30/07 Level 2 merchants required to validate by 12/30/07 98% Level 1 and 2 merchants confirm they do not store prohibited data. Source: Visa website http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf?it=c|/merchants/risk_management/cisp_merchants.html|M erchant%20PCI%20DSS%20Compliance%20Update How To Apply Security Best Practices to PCI PCI Scope May Include More Network Areas Than You Think REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC Book Stores Box Office Satellite campus Any remote site that takes credit cards on your network CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA On-line payments of Who has access to any kind that go across cardholder your network (classes, information on the tickets, etc) LAN? This is part of PCI DATA CENTER Do you store card holder data in your data center(s)? Three Architecture Footprints Small Medium Large The PCI Data Security Standard Build and Maintain a Secure Network Protect Cardholder Data 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-toknow 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security Requirement 1: Install and maintain a firewall configuration to protect data REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER POS VLAN POS Cash Register ACS CSM POS Server NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC 6500/7600 FWSM Card VLAN ASA CSA Credit card storage Data VLAN Wireless device CSA E-commerce CSA DATA CENTER Requirement 2: Do not use vendor-supplied defaults for system settings REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Requirement 3: Protect Stored Data REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Server POS Cash Register Cisco Security Agent CSM NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA CSA E-commerce CSA Credit card Storage ASA Wireless device 6500/7600 FWSM CSA Disk Encryption DATA CENTER Requirement 4: Encrypt transmission of cardholder data across public networks REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Requirement 5: Use and Regularly update anti-virus software REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS CSA POS Cash Register CSM POS Server NAC CSA NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA E-commerce CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA CSA DATA CENTER Requirement 6: Develop and maintain secure systems and applications REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Requirement 7: Restrict access to data by business need-to-know REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC CSA NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA E-commerce CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA CSA DATA CENTER Requirement 8: Assign a unique ID to each person with computer access REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Requirement 9: Restrict Physical Access REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Requirement 10: Track and Monitor all access to network and cardholder data REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC CSA NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Requirement 11: Regularly test security systems and processes REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC CSA NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Requirement 12: Maintain a policy that addresses information security REMOTE LOCATION Mobile POS INTERNET EDGE MAIN OFFICE NETWORK MGMT CENTER ACS POS Cash Register CSM POS Server NAC CSA NCM/CAS ASA 7200/7300 WAP Catalyst switch CS-MARS ASA Internet 6500 switch ISR WAP WAP Store Worker PC CSA Credit card storage ASA Wireless device 6500/7600 FWSM CSA E-commerce CSA DATA CENTER Cisco Security Best Practices for PCI REMOTE LOCATION CSA POS Terminal INTERNET EDGE Cisco Security Agent (CSA) MAIN OFFICE NAC 7300 router WAP 1200 switch WAP Store Worker PC Wireless device Requirement 1 Requirement 2 Requirement 3 Cisco Security Management CS-MARS ASA 5500 ACS POS Server NETWORK MGMT CENTER ASA Internet Integrated Services Router (ISR) ASA 6500 switch CSA E-commerce Requirement 4 Requirement 5 Requirement 6 Requirement 7 Requirement 8 Requirement 9 6500/7600 FWSM CSA Credit card storage CSA DATA CENTER Requirement 10 Requirement 11 Requirement 12 PCI -> HIPAA with the same Security Best Practices…. Category 5 Category 2 Category 6 Category 3 Category 7 Category 4 Category 8 Data Center Category 1 ePHI Storage Server CSA Clinic 6500 CSA 7300 3750 WAN ISR CS-MARS CSM ASA ASA CSA ACS CSA CSD NCM/CAS NAC Network Management Center Campus CSA Internet Edge/DMZ ISR Remote Clinician
