Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and cost-effective business transactions. However, more than 100 million personally identifiable customer records have been breached in the United States over the past two years. Many of these instances involved credit card information.
As a result, today there is increased pressure to comply with industry mandates as well as state and federal regulations, created to enhance privacy, national security, and in many cases corporate accountability. Fines, penalties, and lawsuits are just some of what a company might undergo if a security breach occurs and the company is out of compliance. The long-term effect of noncompliance is damage to the company's brand, or reputation, which sometimes never recovers.
The PCI Security Standard
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed from an earlier regulatory program from VISA called the Cardholder Information Security Program (CISP). Started in June 2001, the program was designed to help ensure the security of cardholder data and information at the point of sale (POS) and wherever the cardholder data resides. In 2004, these requirements became part of a larger industry effort by the major credit card companies to secure cardholder data, resulting in an industry standard known as PCI. Over the past few years, the process has been loosely governed, but as of September 2006, a PCI Security Standards Council owns, maintains, and distributes the PCI DSS. The council mandate requires that any company that processes, stores, or transmits credit card numbers must comply with the PCI DSS standard. Visa International, MasterCard Worldwide, Discover Financial Services, JSI, and American Express all require PCI compliance, and any company that fails to comply with the requirements risks stiff penalties.
PCI version 1.2 went into effect January 1, 2009. The Council anticipates that it will release technical updates to the standard once a year, depending on emerging threats and industry trends. Notwithstanding such updates, the basic requirements of the PCI guidelines have remained consistent.
Table 1. PCI DSS Requirements
PCI Data Security Standard
Goals
Requirements
Build and Maintain A Secure Network
• Install and maintain a firewall configuration to protect data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
• Protect stored cardholder data.
• Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program
• Use and regularly update antivirus software.
• Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
• Restrict access to data by business "need to know."
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.
Maintain an Information Security Policy
• Maintain a policy that addresses information security for employees and contractors.
PCI Compliance and Cisco IOS Security for the Branch
Many organizations think it is unlikely they will become victims of a security breach, but the possibility is real. Cisco IOS®Security features offer businesses the necessary tools to help avert a security breach by applying a defense-in-depth approach throughout the foundation of the network. Cisco IOS Security technologies are built into the router and switch infrastructure, providing unprecedented value to small business and branch offices, where resources may be limited. Table 2 describes in detail how Cisco IOS Security helps to meet PCI requirements.
• Install and maintain a firewall configuration to protect data.
Cisco IOS Firewall
• Do not use vendor-supplied defaults for system passwords and other security parameters.
Cisco IOS Software
• Protect stored cardholder data.
-
• Encrypt transmission of cardholder data and sensitive information across public networks.
Cisco VPN Advanced Integration Module (AIM) for Integrated Services Routers
• Use and regularly update antivirus software.
Cisco Network Admission Control (NAC) Network Module (NM) for Integrated Services Routers
• Develop and maintain secure systems and applications.
Cisco NAC NM for Integrated Services Routers
• Restrict access to data by business need to know.
Cisco IOS Software identity-based firewall
• Assign a unique ID to each person with computer access.
Cisco IOS Software certificate authority, 802.1x
• Restrict physical access to cardholder data.
-
• Track and monitor all access to network resources and cardholder data.
Cisco IOS Software and Netflow
• Regularly test security systems and processes.
Cisco IOS Intrusion Prevention System (IPS), IPS AIM module
• Maintain a policy that addresses information security for employees and contractors.
Cisco Configuration Professional (CP); Cisco Security Manager; Cisco Security Monitoring, Analysis, and Response System (MARS)
Cisco IOS Zone-Based Policy Firewall
Zone-based policy firewall runs on Cisco integrated services routers, securing Internet connectivity and protecting mission-critical resources behind the router. It offers network segmentation through security zones to protect cardholder data. These security zones are based on strict user or group policies that provide:
• Granular stateful inspection that improves security by tightly controlling network service access and enforcement between and outside security zones.
• Classification of users, devices, or protocols into groups and apply those groups to access control lists (ACLs) to create access control policies for those groups.
• VRF-aware firewall functions offer virtual firewalls for isolated route space and overlapping addresses.
IT administrators are able to create a set of fixed policies for the network and make sure that all devices and applications in a security zone adhere to the rules of the PCI DSS (Figure 1).
Figure 1. Cisco IOS Zone-Based Policy Firewall Security Zones
In addition to segmenting cardholder's traffic, zone-based policy firewall will perform stateful inspection, alert, and monitor events using syslog. In addition, Cisco IOS zone-based policy firewall has the ability to further enforce protocol conformance by inspecting and discarding protocols such as HTTP, Simple Mail Transfer Protocol (SMTP), peer-to-peer protocols, Session Initiation Protocol (SIP), and Skinny Client Control Protocol (SCCP). This eliminates unwanted traffic and conserves bandwidth. As stated earlier, Cisco IOS zone-based policy firewall can automatically take the necessary steps to mitigate malicious activity coming from unauthorized access from inside or outside the network.
Cisco IOS Intrusion Prevention System (IPS)
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that satisfies PCI DSS requirements through deployment of endpoint security technologies and controls. This enables Cisco IOS Software to effectively analyze network traffic for malicious code and mitigate attacks. Using Cisco IOS IPS together with Cisco IOS Firewall can provide the integrated solution that optimizes management and administration efficiencies. While it is common practice to defend against attacks by inspecting traffic at data centers and corporate headquarters, distributing the network-level defense to stop malicious traffic close to its entry point at branch or telecommuter offices is also critical. Cisco IOS IPS:
• Works with Cisco IOS Firewall, control-plane policing, and other Cisco IOS Security features to protect the router and networks behind the router
• Provides networkwide, distributed protection from many attacks, exploits, worms, and viruses. exploiting vulnerabilities in operating systems and applications
• Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as small and medium-sized business networks
Simplifying PCI Compliance with Autosecure
PCI compliance is not simple. However, the Cisco IOS Software Autosecure feature provides a simple noninvasive way to help any PCI deployment by enabling a one-command automated router lockdown feature. This feature eliminates the complexity of securing a router.
Autosecure provides the following to enhance network security and help ensure PCI compliance:
Disables Nonessential Services
• Eliminates denial-of-service (DoS) attacks based on fake requests
• Disables mechanisms that could be used to exploit security holes
• Disables unused protocols such as the User Datagram Protocol (UDP) and TCP small servers' service to prevent attackers from using those services in DoS attacks
Enforces Secure Access
• Supports a required minimum password length, which can eliminate common passwords that are prevalent on most networks, such as "lab" and "Cisco"
• Supports syslog messages to log events that pertain directly to cardholders' data transactions to help prevent cardholders' information from leaking outside of a security zone
• Provides ability to configure the number of allowable unsuccessful login attempts (the threshold rate)
• Prevents attackers from knowing packets have been dropped
Secures Forwarding Plane
• Protects against SYN attacks
• Protects against antispoofing
• Enforces stateful firewall configuration on external interfaces, where available
Managing Cisco IOS Security
Cisco Configuration Professional
Cisco Configuration Professional offers smart wizards and advanced configuration support for LAN and WAN interfaces, Network Address Translation (NAT), stateful and application firewall policy, IPS, IP Security (IPSec) and Secure Sockets Layer (SSL) VPN, quality of service (QoS), and Cisco Network Admission Control policy features. The firewall wizard allows a single-step deployment of high, medium, or low firewall policy settings. Cisco Configuration Professional also offers a one-click router lockdown and an innovative security auditing capability to check and recommend changes to router configuration based on Cisco Technical Assistance Center (TAC) recommendations.
Security Audit and One-Step Lockdown
Running security audit presents a list of recommended actions. One-step lockdown configures recommended security settings (Figure 2).
Figure 2. Cisco Configuration Professional Security Audit
Staying Compliant
Cisco IOS Security technologies help:
Separate, divide, and isolate network traffic
The firewall is the center point inside the network and is critical for PCI compliance. A common firewall policy such as Cisco IOS zone-based policy firewall examines the source and destination zones from the ingress and egress interfaces. It is not necessary that all traffic flowing to or from an interface be inspected. You can designate individual flows in a zone pair to be inspected using policy maps that may be applied across the zone pair. The policy map will contain class maps that specify the individual flows.
Demonstrate compliance in the event of an attack or audit
An audit can be stressful for any IT administrator. It can be even more stressful if you are dealing with a possible security breach at the time of the audit. Cisco not only can provide the tools to meet PCI requirements, it can also demonstrate and validate PCI compliance. Combining best practices and extensive networking technology expertise, Cisco has developed a set of architectures in a lab environment with PCI requirements in mind. Cisco invited PCI auditors to evaluate these architectures; the auditors found that the technology, if properly deployed and maintained, could help achieve PCI compliance.
Performance where it counts
Cisco integrated services routers are designed for fast, scalable delivery of business-critical applications. Cisco IOS Firewall is an integral component, providing protection and performance that are ideal for small to medium-sized branch office deployments, particularly in commercial environments. This integrated solution is ideal for organizations seeking a cost effective PCI compliance solution.
Conclusion
Any organization that accepts, processes, or stores credit card information must comply with the standards set by the Payment Card Industry Security Standards Council. Cisco IOS Security technologies provide a variety of tools to help ensure compliance:
• Cisco IOS Software zone-based policy firewall can define network security zones, prevent action on cardholders' data being leaked outside of security zones, and apply policies to inspect and mitigate malware threats and unauthorized data access and transfers.
• Cisco IOS IPS effectively analyzes network traffic for malicious code and mitigates attacks.
• The Autosecure feature provides a one-command, automated router lockdown that disables nonessential services, enforces secure access, and secures the router forwarding plane.
For More Information
For more information about how Cisco can help you with PCI, visit the following resources:
