1 / 21

PCI Security Best Practices

PCI Security Best Practices. PCI Industry Updates. Level 1 Merchants Deadline is Sept 30, 2007 (GLOBAL) Level 2 Merchants Deadline is Dec 30, 2007 (US) Impact of non-compliance = $25,000 - $100,000 per month fine and reduced 1 level in Tier service =>increased clearinghouse fees

lynna
Download Presentation

PCI Security Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI Security Best Practices

  2. PCI Industry Updates • Level 1 Merchants Deadline is Sept 30, 2007 (GLOBAL) • Level 2 Merchants Deadline is Dec 30, 2007 (US) • Impact of non-compliance = $25,000 - $100,000 per month fine and reduced 1 level in Tier service =>increased clearinghouse fees • Merchants achieving PCI compliance by Sept 30, 2008AND showed committed progress by Sept 30, 2007 will be eligible for 3 months repayment of fines and service increases • Acquiring Banks will be fined$25k for EVERYPCI non-compliant client • Universities are publicized for security breach incidents – including stolen credit card information (http://www.attrition.org/dataloss) • US States are now passing/proposing credit card security laws – Minnesota, California, Connecticut, Illinois

  3. PCI Compliance Validation Level 1 merchants required to validate by 9/30/07 Level 2 merchants required to validate by 12/30/07 98% Level 1 and 2 merchants confirm they do not store prohibited data. Source: Visa website http://usa.visa.com/download/merchants/cisp_pcidss_compliancestats.pdf?it=c|/merchants/risk_management/cisp_merchants.html|Merchant%20PCI%20DSS%20Compliance%20Update

  4. How To Apply Security Best Practices to PCI

  5. ASA PCI Scope May Include More Network Areas Than You Think REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA Book Stores Box Office Satellite campus Any remote site that takes credit cards on your network On-line payments of any kind that go across your network (classes, tickets, etc) Who has access to cardholder information on the LAN? This is part of PCI Do you store card holder data in your data center(s)?

  6. Three Architecture Footprints Small Large Medium

  7. The PCI Data Security Standard

  8. POS VLAN Card VLAN Data VLAN ASA Requirement 1: Install and maintain a firewall configuration to protect data REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  9. ASA Requirement 2: Do not use vendor-supplied defaults for system settings REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  10. ASA Requirement 3: Protect Stored Data REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS POS Server CSM POS Cash Register Cisco Security Agent NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card Storage Disk Encryption ASA CSA CSA Wireless device E-commerce DATA CENTER CSA

  11. ASA Requirement 4: Encrypt transmission of cardholder data across public networks REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  12. ASA Requirement 5: Use and Regularly update anti-virus software REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSA CSM POS Cash Register POS Server NAC CSA NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA CSA Wireless device E-commerce DATA CENTER CSA

  13. ASA Requirement 6: Develop and maintain secure systems and applications REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  14. ASA Requirement 7: Restrict access to data by business need-to-know REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC CSA NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA CSA Wireless device E-commerce DATA CENTER CSA

  15. ASA Requirement 8: Assign a unique ID to each person with computer access REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  16. ASA Requirement 9: Restrict Physical Access REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  17. ASA Requirement 10: Track and Monitor all access to network and cardholder data REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC CSA NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  18. ASA Requirement 11: Regularly test security systems and processes REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC CSA NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  19. ASA Requirement 12: Maintain a policy that addresses information security REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE ACS Mobile POS CSM POS Cash Register POS Server NAC CSA NCM/CAS 7200/7300 CS-MARS WAP ASA Internet Catalyst switch 6500 switch ISR WAP 6500/7600 FWSM CSA WAP Store Worker PC Credit card storage ASA CSA Wireless device E-commerce DATA CENTER CSA

  20. Cisco Security Best Practices for PCI REMOTE LOCATION NETWORK MGMT CENTER INTERNET EDGE MAIN OFFICE Cisco Security Agent (CSA) ACS Cisco Security Management CSA POS Terminal POS Server NAC CS-MARS ASA 5500 WAP 1200 7300 router ASA Internet • switch 6500 switch 6500/7600 FWSM Integrated Services Router (ISR) CSA WAP ASA Store Worker PC Credit card storage CSA CSA Wireless device E-commerce DATA CENTER Requirement 1 Requirement 4 Requirement 7 Requirement 10 Requirement 2 Requirement 5 Requirement 8 Requirement 11 Requirement 3 Requirement 6 Requirement 9 Requirement 12

  21. WAN PCI -> HIPAA with the same Security Best Practices…. Category 5 Category 1 Data Center Category 2 Category 6 ePHI Storage Server Category 3 Category 7 CSA Category 4 Category 8 Clinic 6500 CSA 7300 3750 ISR CS-MARS CSM ASA ASA CSA CSA CSD NCM/CAS ACS NAC ISR Internet Edge/DMZ CSA Campus Network Management Center Remote Clinician

More Related