Presentations

For the Internal Cisco TV on 4/5/11

Technical Overview
  • Changes to 2.0 and Advanced Technologies
    • Scope - Jokingly known as "PCI Requirement 0"
      • The first thing readers will notice when they open PCI Version 2.0 is an expanded section defining PCI scope. Version 2 requires merchants and processors to identify explicitly all the locations and flows of cardholder data annually before they begin their assessment.
      • The specific instructions are to make sure that no data has leaked outside your defined card-holder data environment and, if you find any, that you either eliminate the data or include it in your assessment.
      • The Council is instructing QSAs to report how the PCI scope was validated in the Report on Compliance (ROC).
    • Virtualization / Cloud
      • While the PCI 2.0 security standard has clarified that server virtualization technology can be used in PCI-regulated environments, PCI compliance in virtual environments still has some grey areas.
      • Our validation as ferreted out some of these gray areas and how to still have a securely virtualized environment that can be PCI compliant (please see our forthcoming design guide).
      • Another area that has been clarified in PCI 2.0 is virtualization. In the previous version of the standard, there was a requirement to implement only one primary function per server, which led to some confusion about virtual machine usage. For example, it was unclear whether two virtual machines were permitted to run on the same physical server. PCI 2.0 clarifies the issue by stating that if an organization is using virtualization (i.e., running different operating systems on a single physical system), those virtual operating systems can have only one primary function.
    • Wireless Mobility 
      • - no longer is WEP or even WPA sufficient for transmitting card holder data, WPA2 is the current "Strong Encryption" wireless protocol.  In the standard the reference to any specific encryption technology has been removed and only refers to "support strong encryption".  As WEP was previously eliminated so too is WPA no longer considered strong encryption.  Retailers will need to move to WPA2 as quickly as possible.
    • Rogue detection
      • The clarification to Requirement 11.1 is a sensible one that may make compliance easier for retailers with a large number of locations. That requirement also dealt with wireless security and formerly instructed retailers to “test for the presence of unauthorized wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS.” The requirement now states, “methods that may be used in the process include, but are not limited to, wireless network scans, physical site inspections, network access control (NAC) or wireless IDS/IPS.” That means you don’t necessarily have to carry a wireless analyzer. A little physical observation and war-walking might do the trick for small retailers with only a few locations and a small amount of infrastructure.  Rogue wireless devices are a very real threat, and you should take these (at least) quarterly inspections very seriously.
    • Risk ranking of vulnerabilities
      • One change in PCI 2.0 that will require additional action is the inclusion of a mechanism for ranking vulnerability-related risk. To provide those in the payment chain additional time to implement this into their security programs, the Council said it was making risk ranking a best practice until June 30, 2012, at which point it becomes required. Requirement 6.2 used to say, “Establish a process to identify newly discovered security vulnerabilities,” the PCI Council has appended “and assign a risk ranking to newly discovered security vulnerabilities.
    • Longer cycle
      • Perhaps the most important change the Council made with PCI 2.0 was to move from a two-year development cycle for its security standards to a three-year cycle, which means that the next major update will be in 2013
    • Other Specific Changes
      • 6.5.6. This sub-requirement is part of a revamped Requirement 6.5 that in PCI Version 2 addresses all software applications not just Web-facing ones, as was the case previously.
      • Requirement 3.4 provides new guidance on hashing. The text of the new requirement states that if hashed and truncated versions of the same PAN are present in the cardholder data environment, “additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.”  The reason for this revised requirement is that if the bad guys get both a truncated PAN and the hashed version of that same PAN, fairly trivial techniques can be used to reconstruct the PAN. Depending on how you’re using these pieces of data, it may be a significant challenge to separate them and add sufficient “additional controls.” I can only hope that the Council will release some formal guidance on what these controls should be.
Cisco's Approach to PCI
    • Our approach is to implement an end to end architecture of systems that work in harmony to achieve the goals of the PCI-DSS.
  • Our Key Partners - (Find appropriate Partner and product Logo's)
    • RSA 
      • enVision
      • Archer
      • Authentication Manager (SecureID)
      • Key Manager
    • Hytrust
      • Security Appliance protecting vSphere
    • EMC
      • Ionix Network Configuration Manager
      • Ionix Unified infrastructure Manager
      • Clarion CX4 SAN
    • VCE
      • vBlock Architecture
  • Components of the solution, Validation and Audit
    • ISR G2 Routers for Converged capabilities
    • Catalyst compact, Nexus and Virtual switches to segment infrastructure
    • Unified Compute Systems - Rack-Mount, UCS-Express on SRE, vBlock
    • Managed Controller based Wireless Infrastructure
    • Virtual Secure Gateway, IOS and ASA Firewalls
    • Ironport for e-mail DLP
    • Physical Security - Video Surveillance and Gateway access controls
    • DC 3.0 Architecture
    • Cisco Voice Solutions
  • Best Practices
    • Fully and accurately document your enterprise, actively maintain this documentation.   This is not a nice to have, it is a requirement.
    • Segmentation to reduce Audit scope
    • Wireless WIPS
    • Wireless controller based Architecture
    • Switch SMART-PORTS and or NAC/ISE protect open network connections on the store floor
    • Centralized Logging using RSA enVision with configured Alerts and Reports for PCI

Conclusion
PCI DSS version 2.0 contains 132 changes: 115 clarifications, 15 items of additional guidance, and two evolving requirements. 
While some of these changes may present challenges, many of the clarifications will have minimal impact on what compliant Retailers have been doing already.




Comments