Вы находитесь на странице: 1из 9

BestPracticesforPCIDSSV3.

0
NetworkSecurityCompliance

January2015

www.tufin.com

TableofContents
PreparingforPCIDSSV3.0Audit.........................................................3
ProtectingCardholderDatawithPCIDSS..................................................3
ComplyingwithPCIDSSNetworkSecurityChallenges.............................4
SevenPCIBestPracticesforNetworkSecurity.....................................5
SettingHighSecurityStandardforOngoingSuccess............................6
QuickPCIDSSNetworkSecurityChecklist...........................................8

2/9

PreparingforPCIDSSV3.0Audit
Creditcardfraudisagrowingthreattobothfinancialinstitutionsandretailorganizations.Different
methodsandtechnologiesweredevelopedthroughouttheyearstomitigatethisrisk.In2004,the5
majorUScreditcardcompaniescooperatedtoimplementastandardtocounterthethreattogether.
ThenewunitedstandardiscalledPaymentCardIndustryDataSecurityStandard(PCIDSS).
ThegoalofPCIDSSistoencourageandenhancecardholderdatasecurityandfacilitatethebroad
adoptionofconsistentdatasecuritymeasuresglobally.Itprotectsagainstcreditcardfraudand
securitythreatsbyprovidingabaselineoftechnicalandoperationalrequirementsdesignedto
protectcardholderdata.
ThemostrecentversionofthestandardisV3.0,replacingV2.0thatendslifeinDecember2014.
Therefore,plansforcomplyingwiththeupgradedstandardandensuringthattheenterprisenetwork
isauditreadyisapressingconcernofmanyITmanagersandPCIinternalauditorstoday.
ThispaperprovidesinformationtoITmanagersandPCIinternalauditorsforunderstandingnetwork
securityneedsandbestpracticesaroundcreditcardthreatsandtherelatedrequirementsforPCIDSS
V3.0audits.TufinsnetworksecurityexpertiseenablesexcellentsupportforPCIinternalauditors,IT
managersandtheirnetworkoperationteamstodesign,planandintegratethechangesrequiredfor
PCIDSScomplianceintobusinessasusualactivities.TufinssolutionsupportsITmanagersandPCI
internalauditorstolessentheircomplianceheadache.

ProtectingCardholderDatawithPCIDSS
ThePCIDSSdefines12highlevelrequirements,groupedinto6controlobjectives.Tocomply,PCI
internalauditorsorITmanagersperformperiodicauditsevery6months(3monthsrecommended).
Auditsdemonstratecompliancevianumeroustestingproceduresandsubrequirements,asseenin
thetable:
PCIDSSControlObjectivesRequirementDescription
BuildandMaintainaSecure 1.Installandmaintainafirewallconfigurationtoprotectcardholderdata
Network
2.Donotusevendorsupplieddefaultsforsystempasswordsandothersecurity
parameters
ProtectCardholderData

3.Protectstoredcardholderdata
4.Encrypttransmissionofcardholderdataacrossopen,publicnetworks

MaintainaVulnerability
ManagementProgram

5.Protectallsystemsagainstmalwareandregularlyupdateantivirussoftwareor
programs
6.Developandmaintainsecuresystemsandapplications

ImplementStrongAccess
ControlMeasures

7.Restrictaccesstocardholderdatabybusinessneedtoknow
8.Identifyandauthenticateaccesstosystemcomponents
9.Restrictphysicalaccesstocardholderdata

RegularlyMonitorandTest
Networks

10.Trackandmonitorallaccesstonetworkresourcesandcardholderdata
11.Regularlytestsecuritysystemsandprocesses

3/9

MaintainanInformation
SecurityPolicy

12.Maintainapolicythataddressesinformationsecurityforallpersonnel

ThemainPCIDSSprinciple:Cardholderdataisonlyassecureasthepathwaysthatprovideaccessto
it.Ontheonehand,PCIDSSrequirementsaredesignedtoensurethatnetworksecuritypractices
eliminateorminimizeknownrisks.Ontheotherhand,theyensurethattheorganizationdefineswell
structuredpolicies,proceduresandpracticesthatcanbetrackedandaudited.Toensurebothsecure
datapathwaysandadherencetostrictnetworksecuritypolicies,PCIDSSrequires:

Specificguidelinesforprocessingcardpaymentstohelppreventcreditcardfraud,skimming
andothersecuritythreats
Aligningwiththeindustrybestpracticestoincreasethetrustofbothcustomersand
partners
Limitingexternalnetworkaccesstosensitivedata,combinedwithaformalprocessfor
monitoringallchangestofirewallconfiguration
Trackingandauditingoffirewalloperationsregularly,includingcleardefinitionsofrolesand
responsibilities
Strictlylimitinginternalorganizationalaccesstosensitivedata
Documenting,enforcingandauditingalloperationalproceduresandpractices

Insummary,PCIDSSdemandsthatorganizationsmaintaincontinuouscompliancethroughan
ongoingprocessof:Assess,RemediateandReport.1Tocomply,yourITorganizationmusthavean
accuratepictureofyourcomplianceposture,thetoolstoaddressissues,andtheabilityto
demonstratecompliancethroughinternalandexternalaudits.

ComplyingwithPCIDSSNetworkSecurityChallenges
About40%ofPCIDSSisrelatedtonetworksecurity,butthisisreallythecruxoftheheadache,
pitfallsanddisturbanceforPCIinternalauditors,ITmanagersandtheirteams.
Fornetworksecurityteamstointegratearepeatablecomplianceprocedurethatdoesntdisrupt
businessasusual,itssimplynotfeasibleforITmanagersandPCIinternalauditorstomanually
manageandtest.ThemanyITtasksinvolvedindocumenting,trackingandauditingnetworksecurity
proceduresmanuallycantakeweeks.Thenumeroussecuritydevices(firewalls,routersandothers),
witheachdevicemanaginghundredstothousandsofrulesmakesforanextremelycomplex
enterprisenetworkenvironment.Toensurecompliance,theteammusthaveaclearvisibilitytothe
networktopology,theroutingflowofdataaroundthenetwork,andthesettingofallsecuritydevices
(astherearemanypathstomovebetweennetworksegments,andallpathsshouldbeconfigured
basedonthedesiredpolicy).Therefore,PCIDSScompliancerequirestherightsetoftoolsand
automatedsolutionsforvisibility,alertingandquickbreachfixes.

https://www.pcisecuritystandards.org/security_standards/getting_started.php

4/9

SevenPCIBestPracticesforNetworkSecurity
SincePCIDSSisthedefactostandardthatanycompanyprocessingcreditcardsmustcomplyto,IT
managersandPCIinternalauditorscontinuallyaligntheirenterprisesecurityprogramtoachievethis
goal.
BeforegettingintothePCIDSSrequirementdetails,itsgoodtolookatwhatsworkedatmany
enterprisestoenforceandremediatePCInetworksecuritycompliance.Tufinnetworkingexperts
gatheredvaluablelearningandbestpracticesfromtheirPCIimplementationexperience.IfIT
managersandPCIinternalauditorsdoitright,theirworkonPCIcompliancecanalsobeaspringboard
fortheirorganizationintocontinuousnetworksecurityandmoreeffectiveworkprocesses.
Tufins7bestpracticesfornetworksecuritycomplianceare:
1) CreateaclearseparationofPCIdata,PCIapplication,andPCIwebwithinthenetwork(DMZ,
InternalandInternet)
2) EnsurethatyouhaveanetworkchangeworkflowprocessinplacethatmeetsPCI
requirements
3) Ensurethateverynetworkchangehasacompleteaudittrailwiththewho,what,when,
andwhy
4) Validateeverynetworkchangewiththefollowing:
a. Analyzethechangeforrisksasdefinedinyoursecuritypolicy
b. Getapprovalbythebusinessowner
c. EnsurethechangesareimplementedaccordingtothePCIcompatiblenetwork
changeworkflow
5) EnsurethatfirewallsprotectingPCIzonesworkwiththefollowingguidelines:
a. Everyrulehasacomment
b. Everyrulehasalog
c. NoruleswithAnyintheSrc,Dest,andSrv
d. Noruleswithriskyservices(unencrypted)
e. Deleteunusedrules
6) Ensureeveryfirewallruleisdocumentedproperlywiththefollowinginfo:
a. Businessjustification
b. Businessowner
c. Applicationname
7) Ensurethatyoukeepfirewalllogsforatleast12months

5/9

SettingHighSecurityStandardforOngoingSuccess
PCIDSSV3.0compliancecanbeagreatopportunitytogetthebuyinandbudgetstoensure
networksecurityisgearedforongoingsuccessForITmanagersandPCIinternalauditorstoset
high,sustainablesecuritystandards,Tufinexpertssuggestpayingspecialattentiontofivesub
requirementswithinPCIDSSrequirement1.
WhenITmanagerstakeabroaderlookatPCIrequirement1,notjustwithaneyeongettingPCI
compliance,theserequirementsopenthedoorforimplementingongoingnetworksecuritysolutions.
Otherwise,theytendtobeproblematicsincetheyrelyonmanualprocessesthatnolongerscaleto
meettheneedsofthebusinessanincreasinglycommonscenario.
Inanycase,merchantswithlargefirewallestatesneedtoautomatefirewalloperationstomeet
businessreality.Whilelargescaledeploymentsarealwaysintense,introducingsomelongterm
improvementsthatalignPCIcomplianceeffortswithyourorganization'sspecificsecurityneedscan
beagoodwaytomaketheeffortevenmoreworthwhileandhavelongtermeffectontheenterprise.
ToovercomethecommonnetworksecurityandPCIDSScompliancechallenges,ITmanagersandPCI
internalauditorscangaininsightsbydrillingdowninto5requirements.Additionalbestpracticesfor
focusingeffortsonachievingbothcomplianceandongoingsuccessarerevealed:
1.1Verifythatthereisaformalprocessfortestingandapprovalofallnetworkconnectionsand
changestofirewallandrouterconfigurations.
PCIinternalauditorsneedtoshowthataclearlydefined,enforceablechangeprocessforfirewall
policiesexists.ThePCIexternalauditorwillasktoseeachangereportwithafullaudittrail,andthen
selectsomerandomchangesandrequesttoseethesignoff.
TheChallenge:Manyorganizationsstilldon'thaveachangeprocessinplaceor,iftheydo,itstoo
looseorreliesongoodwillratherthanformalprocedures.
BestPractice:Thebestwaytoimplementformal,auditablechangeprocessesistobyusingan
adequatetoolforthetask.
1.1.5Documentationandbusinessjustificationforuseofallservices,protocols,andportsallowed,
includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobe
insecure.Examplesofinsecureservices,protocols,orportsincludebutarenotlimitedtoFTP,Telnet,
POP3,IMAP,andSNMP.
Thissubrequirementisconcernedwiththreemainrisks:
1.
2.
3.

Aretheconnectionsrequiredforbusinessknown?
ArefirewallsimplementingthePrincipleofLeastPrivilege?Allowingonlyconnectionsthat
arerequiredforbusiness?
Areanyoftheseconnectionsinsecure?Docompensatingcontrolsforthemexist?

TheChallenge:Mostorganizationsdon'thaveanuptodatelistofservicesthatarerequiredfor
business.Inthebestcase,documentationperfirewallruleexists.Mostlikelysomeconnections
containinsecureservices(NOTE:ForPCI,thelistisopentointerpretationbytheauditor).
BestPractice:ITmanagersneedtomakesuretheyknowabouteachoftheseservicesinadvance
withrelevantjustificationsfromasecurityperspective.
1.1.6Requirementtoreviewfirewallandrouterrulesetsatleasteverysixmonths

6/9

ITmanagersandPCIinternalauditorsneedtohaveproofthataprocessexistsandworkingtomeet
thisrequirement.Complyingwiththisrequirementusuallyentailshavingareporttoshowrulesets
wereinfactreviewed,andthatanyquestionablerulesfromthelastauditwereaddressed,andthat
anychangestorulessincethelastauditweredealtwithproperly(i.e.oldornoncompliant
rules/objectsweredealtwith).
BestPractice:Aroundonethirdofcompaniesfailtoprovidetherequireddocumentationtosatisfy
thePCIexternalauditoronthispointbecauseofpoorprocesses.Therefore,ensureyourprocesses
areuptodateandfunctioning.
1.2.1Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdata
environment
UsuallythePCIexternalauditorislookingforasetofrulesthatpermitspecificPCIservices(approved
knownprotocolsusedbythePCIservers)followedbyanexplicitdropruleforallothertraffic.
Exceptionsmustincludeproperdocumentation(suchasrulecomments)thatmakessensetothe
auditor.
BestPractice:Aroundonequarterofbusinessesfinditdifficulttocorrectlyrestrictinboundaccess;
settingexplicitdroprulesismucheasier.ProperdefinitionofPCIservicesandPCIzonesmake
compliancemuchsimpler.SoitsimportanttoensurethatthePCIexternalauditoragreestothe
contentsofPCIservicesandPCIzones.
IfITmanagersandPCIinternalauditorscanprovethatanactivealertingmechanismtopreventnon
compliantchangesexists,theenterpriseisauditready.
1.3.2LimitinboundInternettraffictoIPaddresseswithintheDMZ
ITmanagersneedtoallowtrafficfromtheInternettospecificservers(IPAddresses)intheDMZ
everythingelseshouldbedropped.ProperdefinitionoftrafficthatisInternet(i.e.allnonlocalIP
addresses)andproperdefinitionoftheaccessibleIPswithintheDMZarecriticalforcompliance.Plus,
thePCIexternalauditormustagreethatdefinitionsarecorrect.
BestPractice:Ifdefinitionsareinplace,anactivealertmechanismforunauthorizedtrafficiswhats
neededforITmanagerstoensurenetworksecurity.
1.3.3DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetand
thecardholderdataenvironment
Todothis,networkoperationteamsneedtoproperlydefinethe'Internet'and'cardholderdata'
environments,orinotherwords,createnetworksegmentationsthatcanbeisolated.ThePCI
externalauditorwantstoseethatthereisnodirectaccessbetweentheseentities,andthatthereis
properevidenceforthis.
BestPractice:IfITmanagersdocumentandmanageaccesswiththerighttools,PCIDSSauditing
becomespartoftheeverydayITandbusinessactivities:
1) Ensuredocumentationisready
2) Proveseriousaboutmaintainingcompliance

7/9

QuickPCIDSSNetworkSecurityChecklist
ITmanagersandPCIinternalauditorscanusethePCIDSSNetworkSecurityChecklistforpreparing
foraudits.ThechecklistsummarizesthePCIDSSrequirementsrelatedtonetworksecurity.Ifbest
practicesfornetworksecurityhavebeenimplementedintheorganization,thePCIDSSaudit
becomesahealthyroutineversusacomplianceheadache.
TomeetthePCIDSSrequirementsrelatedtonetworksecurityinanefficient,quick,manageableway
forongoingsuccess,TufinsPCIDSSV3.0Solutionhelpsgrowingorganizations:
PCIDSSObjectiveNetworkSecurityChecklist
Buildandmaintaina
securenetwork

Donotusevendor
supplieddefaultsfor
systempasswords
andothersecurity
parameters

1.1Establishandimplementfirewalland routerconfiguration
standardsthatincludethefollowing:Inspectthefirewalland
routerconfigurationstandardsandotherdocumentation
specifiedbelowandverifythatstandardsarecompleteand
implementedasinsubrequirements
1.1.1Aformalprocessforapproving andtestingallnetwork
connectionsandchangestothefirewallandrouter
configurations

Automates&documentsall
firewall&routerconfiguration
changes,PCIfirewall&router
checks,PCIrequirements
deviationdetection&reporting
Automates&documentsall
firewall&routerconfiguration
changes

1.1.2Currentnetworkdiagramthatidentifiesallconnections
betweenthecardholderdataenvironmentandother
networks,includinganywirelessnetworks
1.1.4Requirementsforafirewallat eachInternetconnection
andbetweenanydemilitarizedzone(DMZ)andtheinternal
networkzone
1.1.6Documentation andbusiness justificationforuseofall
services,protocols,andportsallowed,including
documentationofsecurityfeaturesimplementedforthose
protocolsconsideredtobeinsecure.
1.1.7Requirementtoreviewfirewall androuterrulesetsat
leasteverysixmonths

PCIzonemapping&network
topologymap

1.2Buildfirewallandrouter configurationsthatrestrict
connectionsbetweenuntrustednetworksandanysystem
componentsinthecardholderdataenvironment.
1.3ProhibitdirectpublicaccessbetweentheInternet and
anysystemcomponentinthecardholderdataenvironment
(1.3.11.3.8)
2.2.3Implementadditionalsecurity featuresforanyrequired
services,protocols,ordaemonsthatareconsideredtobe
insecuree.g.,usesecuredtechnologiessuchasSSH,SFTP,
SSL,orIPSecVPNtoprotectinsecureservicessuchasNetBIOS,
filesharing,Telnet,FTP,etc.
2.4Maintainaninventoryofsystem componentsthatarein
scopeforPCIDSS.
2.6Sharedhostingprovidersmust protecteachentitys
hostedenvironmentandcardholderdata.Theseproviders
mustmeetspecificrequirementsinAppendixA:AdditionalPCI
DSSRequirementsforSharedHostingProviders

Developand
maintainsecure
systemsand
applications
Trackandmonitorall
accesstonetwork

TufinsPCIDSSSolution

6.2Ensurethatallsystemcomponentsand softwareare
protectedfromknownvulnerabilitiesbyinstallingapplicable
vendorsuppliedsecuritypatches.Installcriticalsecurity
patcheswithinonemonthofrelease.
10.1Implementaudittrailstolinkallaccesstosystem
componentstoeachindividualuser.

PCIfirewall&routerchecks,PCI
requirementsdeviationdetection
&reporting
PCIcompliancereport

PCIcompliancereport
PCIfirewall&routerchecks,PCI
requirementsdeviationdetection
&reporting
Centralnetworkmanagementfor
firewall&routertorestricttraffic
betweenInternet&PCIzone
Checkseveryservicefor
compliancewithregulationpolicy

CMDBlikecapabilitiesforserver
networkconnectivity
Automates&documentsall
firewall&routerconfiguration
changes,PCIfirewall&router
checks,PCIrequirements
deviationdetection&reporting
Softwarecomparisonreport

Firewall,router&loadbalancer
audittrail&changereports

8/9

resourcesand
cardholderdata

10.3Recordaudit trailentriesforallsystemcomponentsfor
eachevent
10.5Secureaudittrailssotheycannotbealtered
10.7Retainaudittrailhistoryforatleast oneyear,witha
minimumofthreemonthsimmediatelyavailableforanalysis
(e.g.,online,archived,orrestorablefrombackup).

Tracks&monitorsallfirewall,
router&loadbalancerchanges
ReadOnly,encrypted
Backup,Storeaudittrail&
configurationchangesfor12
months,Reports

Insummary,TufinsPCIDSSV3.0SolutionbenefitsPCIinternalauditorsandITmanagersforPCI
DSScompliancewith:
OutoftheboxPCIDSSauditreport,makingiteasytopreparequicklyandthoroughlyforan
internalorexternalaudit
ITSMlikechangeandapprovalprocesses(integratedtoyourcurrentITSMprocess)
Uptodatepictureofthecompliancestatusofyourfirewallsandrouters
Continuouschangetrackingandalertingthatmonitorsallfirewallpolicychanges,andalertsto
potentialviolations
Simpleandflexibletodefinethenetworkzonesfornetworksegmentation
Identifymismatchbetweenfirewallrulesandthedesiredfirewallsecuritypolicy
Securityruledocumentationassociatingbetweensecuritypolicyrulesandtheirbusiness
justification
Completeaudittrailofwhomadeeachchangetoyournetworkdevices

Formoreinformationoranyquestions:
TufinsubjectmatterexpertsareopentotalkaboutyourpressingPCIDSSV3.0complianceconcerns.
FeelfreetodirectlycontactTufinsPCIexpertsatemail:PCIDSS@tufin.com.

LearnmoreaboutTufinsOrchestrationSuiteandTufinsPCIDSSV3.0Solutionatwww.tufin.com.

Copyright 2015 Tufin


Tufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other product
names mentioned herein are trademarks or registered trademarks of their respective owners.

9/9