Companies that store, process, or transmit credit card information must comply with the Payment Card Industry Data Security Standard (PCI-DSS). Failure to comply can result in fines, lawsuits, and even bans from processing credit cards. Even worse, companies that are breached can find themselves in the news headlines, significantly impacting goodwill with customers, partners, and shareholders.

1. Achieving PCI Compliance
CradlePoint Webinar
July 31, 2012
Global Leader in 4G Network Solutions
Ken Hosac
VP Business Development
Rudy Cedillo
Sr. Enterprise Support Engineer

2. Achieving PCI Compliance
Agenda
§ CradlePoint Overview
– Target
market
– Solu0on
overview
§ Introduction to PCI Compliance
– The
standards
framework
– Business
drivers
– Compliance
&
monitoring
– Customer
pain-­‐points
§ PCI-DSS Requirements & Recommendations
– Goals
&
requirements
– Valida0on
methodology
– CradlePoint
recommenda0ons
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
2

3. CradlePoint Target Market
Distributed Enterprise
Retail Stores
M2M: Kiosks & ATMs
CradlePoint
provides
3G/4G
networking
solu0ons
to
distributed
enterprise
Restaurants
Branch Offices
Convenience Stores
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.

4. Connecting Distributed Enterprise through Wireless 4G/3G
Solution Overview
WiPipe
Central
On-­‐Site
Services
Applica9on
&
Management
Pla<orm
Site
Survey,
Installa9on,
Maintenance
Network
Administrator
Enterprise
Router
Enterprise
Bridge
M2M
Router
for
Small-­‐Footprint
Retail/Branch
for
Business
Con0nuity
for
Connected
Devices
CradlePoint CradlePoint
ARC CBA750 DSL
ARC MBR1400 Modem
Router Bridge CradlePoint
M2M Router
Existing Router
Juniper, Cisco, etc
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
4

5. Overview of the PCI Standards
Achieving PCI Compliance
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
5

6. Achieving PCI Compliance
PCI Security Standards
§ Background § Business Drivers
– Objec0ve
is
to
protect
cardholder
data
– Companies
that
fail
to
comply
are
– Required
for
any
company
that
stores,
subject
to
fines,
lawsuits,
and
can
processes
or
transmits
credit
card
info
even
be
banned
from
processing
– Founded
by
5
major
financial
brands,
credit
cards.
including:
– Companies
that
are
breached
can
§ AmEx,
Discovery,
JCB,
MasterCard,
Visa
find
themselves
in
the
news
– Par0cipants
include
hundreds
of
headlines,
significantly
impac0ng
industry
en00es
goodwill
with
customers,
partners
and
shareholders.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
6

7. Achieving PCI Compliance
PCI Security Standards (continued)
§ PCI-SSC publishes three standards
– PCI-­‐DSS
(PCI
Data
Security
Standards):
Applies
to
any
en0ty
that
stores,
processes,
and/or
transmits
cardholder
data.
The
standard
covers
technical
and
opera0onal
components
include
in
or
connected
to
cardholder
data.
If
a
business
accepts
or
processes
payment
cards,
it
must
comply
with
the
PCI
DSS.
– PTS
(PIN
Transac0on
Security
Requirements):
Applies
to
manufacturers
who
develop
PIN
(personal
iden0fica0on
number)
entry
terminals
used
for
payment
card
financial
transac0ons.
– PA-­‐DSS
(Payment
Applica0on
Data
Security
Standards):
Applies
to
so_ware
developers
and
integrators
of
applica0ons
that
store,
process
or
transmit
cardholder
data
as
part
of
authoriza0on
or
sealement.
§ Acronyms
– PCI
=
Payment
Card
Industry
– SSC
=
Security
Standards
Council
– DSS
=
Data
Security
Standards
– CDE
=
Cardholder
Data
Environment
– PAN
=
Personal
Account
Number
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
7

8. Achieving PCI Compliance
PCI Security Standards (continued)
§ Initial Certification Process
– External
audits
or
self-­‐cer0fica0on,
based
on
company
size
– Smaller
merchants
are
able
to
self-­‐cer0fy
through
a
Self-­‐Assessment
Ques0onnaire
(SAQ)
– Larger
enterprises
must
u0lize
a
PCI-­‐qualified
assessor
such
as
a
QSA
(Qualified
Security
Assessor)
or
ASV
(Approved
Scanning
Vendor).
§ Ongoing Monitoring Process
– The
merchant
must
con0nually
monitor
and
update
their
system
in
order
to
maintain
compliance.
– This
includes:
§ On-­‐going
monitoring
and
tes0ng
of
network
resources
§ Regular
reviews
of
system
logs
and
access
§ Ensuring
that
device
configura0ons
and
security
policies
are
locked
down
and
can’t
be
changed
without
authoriza0on
§ All
cri0cal
systems
have
the
most
recently-­‐released
so_ware
patches
within
one
month
to
protect
against
exploita0on
by
malicious
individuals,
devices
and
so_ware
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
8

9. Achieving PCI Compliance
Customer Pain Points
§ Lack of Expertise
– Many
companies
do
not
have
in-­‐house
exper0se
– PCI
Compliance
can
be
a
confusing
and
in0mida0ng
process
§ Expense
– The
process
for
obtaining
and
maintaining
PCI-­‐compliance
is
expensive
and
burdensome.
– PCI
Compliance
audi0ng
is
o_en
an
expensive,
manual
process
§ Liability
– Companies
that
fail
to
comply
with
the
PCI-­‐DSS
(Payment
Card
Industry,
Data
Security
Standards)
are
subject
to
fines
&
lawsuits.
– Companies
that
are
breached
can
find
themselves
in
the
news
headlines,
significantly
impac0ng
goodwill
with
customers,
partners
and
shareholders.
§ Business Continuity
– Non-­‐compliance
can
result
in
the
customer
being
banned
from
processing
credit
cards.
– CradlePoint’s
largest
customers
have
confirmed
that
PCI
Compliance
is
one
of
the
most
fundamental
underpinnings
of
their
business
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
9

10. Achieving PCI Compliance
Achieving PCI Compliance
§ Requires a System-Wide Approach
– PCI
compliance
can
only
be
obtained
by
the
merchant
.
– PCI
auditors
analyze
the
merchant’s
en0re
system,
including
POS
devices,
network
devices,
servers,
applica0ons,
policies,
&
procedures.
– The
PCI-­‐DSS
requires
that
the
merchant
verify
that
all
network
equipment
(including
CradlePoint
devices)
is
properly
configured
and
managed
for
compliance.
§ Router Certification
– There
is
no
specific
specifica0on
to
enable
routers
to
become
“PCI
Compliant”.
– CradlePoint
conducts
“PCI
Penetra0on
Tes0ng”
to
ensure
that
the
routers
can
be
confidently
used
in
a
PCI-­‐Compliant
environment.
– CradlePoint
devices
do
not
store
any
of
the
data
that
flows
through
the
device,
especially
credit
card
informa0on
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
10

11. Overview of PCI
Requirements & Recommendations
Achieving PCI Compliance
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
11

12. Achieving PCI Compliance
CradlePoint Enablers
§ Application Guide
– 80-­‐page
guide
for
IT
professionals
– Detailed
review
of
each
requirement
– CradlePoint
enablers
– CradlePoint
recommenda0ons
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
12

13. Achieving PCI Compliance
PCI-DSS 2.0 Standards
Goals Requirements
1) Install and maintain a firewall configuration to protect cardholder data.
Build and Maintain a
2) Do not use vendor-supplied defaults for system passwords and other security
Secure Network parameters.
3) Protect stored cardholder data.
Protect Cardholder Data 4) Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability 5) Use and regularly update anti-virus software or programs.
Management Program 6) Develop and maintain secure systems and applications.
7) Restrict access to cardholder data by business need to know.
Implement Strong Access 8) Assign a unique ID to each person with computer access.
Control Measures 9) Restrict physical access to cardholder data.
Regularly Monitor and 10) Track and monitor all access to network resources and cardholder data.
Test Networks 11) Regularly test security systems and processes.
Maintain an Information 12) Maintain a policy that addresses information security for all personnel.
Security Policy
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
13

14. Achieving PCI Compliance
Requirement
1
Install & Maintain Firewalls
Descrip0on
Install
and
maintain
a
firewall
configura0on
to
protect
cardholder
data.
Goal
Build
and
maintain
a
secure
network.
Requirements
1.1
Establish
firewall
and
router
configura0on
standards.
1.2
Build
firewall
and
router
configura0ons
that
restrict
connec0ons
between
untrusted
networks
and
any
system
components
in
the
CDE.
1.3
Prohibit
direct
public
access
between
the
Internet
and
any
system
component
in
the
CDE.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
14

15. Build and Maintain a Secure Network
Achieving PCI Compliance R-1)
Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint
Recommenda0on
Segment the Network into Security Zones
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
15

16. Build and Maintain a Secure Network
Achieving PCI Compliance R-1)
Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint
Recommenda0on
Configure the Firewall
§ Stateful Packet Inspection
– SPI
is
a
firewall
that
monitors
outgoing
and
incoming
traffic
to
make
sure
that
only
valid
responses
to
outgoing
requests
are
allowed
to
pass
though
the
router.
– Proper
configura0on
hides
your
LAN
from
unauthorized
external
aaackers,
so
that
the
router
does
not
respond
to
unsolicited
incoming
requests
on
any
port.
§ Port Forwarding Rules
– A
port
forwarding
rule
provides
a
controlled
method
of
opening
the
firewall
to
address
the
needs
of
specific
types
of
applica0ons.
– Allows
external
traffic
to
reach
a
computer
or
device
on
the
inside
of
the
network.
§ Anti-Spoof
– “Spoofed
Addresses”
are
faked
source
addresses
used
by
a
malicious
user
to
either
hide
themselves
or
to
impersonate
someone
else.
– Used
to
launch
a
network
aaack
without
revealing
the
true
source
of
the
aaack.
– Used
to
gain
access
to
network
services
that
are
restricted
to
certain
addresses.
– An0-­‐Spoof
dynamically
checks
packets
to
iden0fy
probable
spoofing
aaempts.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
16

17. Build and Maintain a Secure Network
Achieving PCI Compliance R-1)
Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint
Recommenda0on
Configure the Firewall (continued)
§ Packet Normalization
– Normalizing
packets
helps
secure
the
router
in
untrusted
environments.
– It
does
so
by
"scrubbing“
packets
that
are
ambiguous
or
might
represent
a
break-­‐in
aaempt.
§ Static NAT Ports
– If
enabled,
the
source
port
does
not
translate
inbound
TCP
and
UDP
packets
during
NAT.
– Some
NAT
traversal
protocols
such
as
STUN(T)
require
that
the
source
port
stay
the
same
when
traversing
the
firewall.
§ DMZ Host
– A
De-­‐Militarized
Zone
(DMZ
)
host
is
purposely
not
firewalled.
– Enables
any
computer
on
the
internet
to
remotely
access
network
services
at
that
DMZ
IP
address.
– Input
the
IP
Address
for
the
DMZ
device
to
ensure
that
the
IP
address
of
the
selected
device
remains
consistent.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
17

18. Build and Maintain a Secure Network
Achieving PCI Compliance R-1)
Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint
Recommenda0on
Lock Down the Router Entry Points
§ Disable UPnP
– UPnP
(Universal
Plug
and
Play)
is
a
set
of
networking
protocols
standardized
by
the
UPnP
Forum
– Enables
clients
to
determine
network
configura0on
and
configure
the
network
to
allow
traffic
through
the
firewall
without
direct
user
interac0on.
– UPnP
can
simplify
the
use
of
consumer
devices
and
other
applica0ons
that
require
network
configura0on,
– UPnP
can
also
allow
unprivileged
users
to
manipulate
network
configura0on.
§ Disable WAN Pings
– When
disabled,
the
router
does
not
respond
to
ping
requests
from
external
WAN
clients.
– This
is
o_en
used
by
hackers
to
probe
security
vulnerabili0es.
§ Use MAC Filtering
– The
MAC
Filter
allows
you
to
create
a
list
of
devices
that
have
either
exclusive
access
(white
list)
or
no
access
(black
list)
to
your
wireless
LAN.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
18

19. Build and Maintain a Secure Network
Achieving PCI Compliance R-1)
Install & maintain a firewall configuration to protect cardholder
data.
CradlePoint
Recommenda0on
Lock Down the Router Entry Points (continued)
§ Use IP Filter Rules
– "Incoming"
IP
filter
rules
restricts
remote
access
to
computers
on
your
local
network.
– "Outgoing"
IP
filter
rules
prevent
computers
on
your
local
network
from
ini0a0ng
communica0on
to
the
address
range
specified
in
the
rule.
– This
feature
is
especially
useful
when
combined
with
port
forwarding
and/or
DMZ
to
restrict
remote
access
to
a
specified
host
or
network
range.
– With
an
incoming
IP
filter
rule,
you
can
restrict
the
access
to
your
LAN
to
only
the
specific
computers
or
devices
authorized
to
be
on
the
network.
§ Disable Remote Administration
– This
prevents
external
users
from
accessing
the
router
administra0on
web
UI
through
the
WAN.
– CradlePoint
recommends
using
WiPipe
Central
to
manage
the
routers,
since
it
u0lizes
a
secure
device-­‐ini0ated
protocol
that
is
less
vulnerable
to
hacking.
– If
you
decide
that
you
do
want
to
enable
remote
admin
access,
be
sure
to
configure
it
to
require
HTTPS
on
a
non-­‐standard
port.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
19

20. Achieving PCI Compliance
Requirement
2
Don’t Use Vendor-Supplied Defaults
Descrip0on
Do
not
use
vendor-­‐supplied
defaults
for
system
passwords
and
other
security
parameters
Goal
Build
and
maintain
a
secure
network.
Requirements
2.1
Always
change
vendor-­‐supplied
defaults
before
installing
a
system
on
the
network,
including
but
not
limited
to
passwords,
simple
network
management
protocol
(SNMP)
community
strings,
and
elimina0on
of
unnecessary
accounts.
2.2
Develop
configura0on
standards
for
all
system
components.
Assure
that
these
standards
address
all
known
security
vulnerabili0es
and
are
consistent
with
industry-­‐accepted
system
hardening
standards.
2.3
Encrypt
all
non-­‐console
administra0ve
access
using
strong
cryptography.
Use
technologies
such
as
SSH,
VPN,
or
SSL/TLS
for
web-­‐based
management
and
other
non-­‐console
administra0ve
access.
2.4
Shared
hos0ng
providers
must
protect
each
en0ty’s
hosted
environment
and
cardholder
data.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
20

21. Achieving PCI Compliance Build and Maintain a Secure Network
R-2)
Do not use vendor-supplied defaults for system passwords
CradlePoint
Recommenda0on
Change the Default Passwords
§ CP’s Enhanced Password Protection
– For
out-­‐of-­‐box
security,
CradlePoint
products
do
not
ship
with
a
generic
default
password.
– Each
router
has
a
unique
password
that
u0lizes
a
por0on
of
the
router’s
MAC
address.
§ PCI-DSS Still Requires Pwd Change
– PCI-­‐DSS
Requirement
2.1
requires
that
the
merchant
change
the
default
password
on
the
router.
– Even
though
the
CradlePoint
passwords
are
unique
to
each
individual
router,
CradlePoint
recommends
that
the
customer
select
a
new
unique
password
for
each
device
that
is
only
known
to
system
administrators
with
a
need-­‐to-­‐know.
§ WiPipe Central
– Enables
password
management
from
a
centralized
loca0on,
elimina0ng
the
need
to
log
into
each
router
to
change
the
password.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
21

22. Achieving PCI Compliance
Requirement
3
Protect Stored Cardholder Data
Descrip0on
Protect
stored
cardholder
data
Goal
Protect
stored
cardholder
data
Requirements
3.1
Keep
cardholder
data
storage
to
a
minimum
by
implemen0ng
data
reten0on
and
disposal
policies,
procedures
and
processes.
3.2
Do
not
store
sensi0ve
authen0ca0on
data
a_er
authoriza0on
(even
if
encrypted).
3.3
Mask
PAN
when
displayed
(the
first
six
and
last
four
digits
are
the
maximum
number
of
digits
to
be
displayed).
3.4
Render
PAN
unreadable
anywhere
it
is
stored
(including
on
portable
digital
media,
backup
media,
and
in
logs).
3.5
Protect
any
keys
used
to
secure
cardholder
data
against
disclosure
and
misuse.
3.6
Fully
document
and
implement
all
key-­‐management
processes
and
procedures
for
cryptographic
keys
used
for
encryp0on
of
cardholder
data.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
22

23. Achieving PCI Compliance Protect Cardholder Data
R-3)
Protect stored cardholder data.
CradlePoint
Recommenda0on
Minimize Resources within CDE Network Segment
§ Network Segmentation
– Par00on
network
resources
into
individual
“Network
Segments”,
such
as:
– Resources
on
one
network
segment
are
securely
par00oned
from
other
segments
– Enables
a
single
router
&
WAN
to
be
used
for
mul0ple
purposes
§ Resource Assignment
– Each
network
segment
can
be
assigned
individual
network
resources,
including:
§ Ethernet
ports
§ WiFi
SSIDs
§ VLANs
– Each
Network
Segment
can
be
configured
with
its
own
§ IP
Address
configura0on
(sta0c,
dynamic,
range)
§ Rou0ng
Mode
(NAT,
non-­‐NAT,
Public
Hotspot/Cap0ve
Portal)
§ Access
Control
(Admin
Access,
LAN
Isola0on,
etc)
§ Interfaces
(choose
from
WiFi
SSIDs,
Ethernet
Groups
and
VLANs)
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
23

24. Achieving PCI Compliance Protect Cardholder Data
R-4)
Encrypt cardholder data across open, public networks.
Requirement
4
Encrypt Transmission of Cardholder Data
Descrip0on
Encrypt
transmission
of
cardholder
data
across
open,
public
networks.
Goal
Protect
cardholder
data
Requirements
4.1
Use
strong
cryptography
and
security
protocols
(for
example,
SSL/TLS,
IPSEC,
SSH,
etc.)
to
safeguard
sensi0ve
cardholder
data
during
transmission
over
open,
public
networks.
4.2
Never
send
unprotected
PANs
by
end-­‐user
messaging
technologies
(for
example,
e-­‐
mail,
instant
messaging,
chat,
etc.).
Note:
§ The
use
of
WEP
as
a
security
control
was
prohibited
as
of
30
June
2010.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
24

25. Achieving PCI Compliance Protect Cardholder Data
R-4)
Encrypt cardholder data across open, public networks.
CradlePoint
Recommenda0on
Create Secure WAN Connectivity
§ Virtual Private Network (VPN)
– VPN
tunnels
are
used
to
establish
a
secure
connec0on
to
a
remote
network
over
a
public
network.
– For
example,
VPN
tunnels
can
be
used
across
the
internet
by
an
individual
store
loca0on
to
connect
to
the
corporate
data
center
or
by
two
individual
store
loca0ons
to
func0on
as
if
connected
with
one
network.
– The
two
networks
set
up
a
secure
connec0on
across
the
(normally)
unsecure
internet
by
assigning
VPN
encryp0on
protocols.
§ Generic Routing Encapsulation (GRE)
– GRE
tunnels
can
be
used
to
create
a
connec0on
between
two
private
networks.
– CradlePoint
routers
support
both
GRE
and
VPN
tunnels.
– GRE
tunnels
are
simpler
to
configure
and
more
flexible
for
different
kinds
of
packet
exchanges,
but
VPN
tunnels
are
much
more
secure.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
25

26. Achieving PCI Compliance Protect Cardholder Data
R-4)
Encrypt cardholder data across open, public networks.
CradlePoint
Recommenda0on
Create Secure WAN Connectivity (continued)
§ Internet Protocol security (IPsec)
– CradlePoint
routers
uses
IPsec
(Internet
Protocol
security)
to
authen0cate
and
encrypt
packets
exchanged
across
the
tunnel.
– To
set
up
a
VPN
tunnel
with
a
CradlePoint
router
on
one
end,
there
must
be
another
device
(usually
a
router)
that
also
supports
IPsec
on
the
other
end.
§ Internet Key Exchange (IKE)
– IKE
is
the
security
protocol
in
IPsec.
– IKE
has
two
phases,
Phase
1
and
Phase
2.
– CradlePoint
routers
have
several
different
security
protocol
op0ons
for
each
phase,
but
the
default
selec0ons
will
be
sufficient
for
most
users.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
26

27. Achieving PCI Compliance
Requirement
5
Use Anti-Virus Software
Descrip0on
Use
and
regularly
update
an0-­‐virus
so_ware
or
programs.
Goal
Maintain
a
vulnerability
management
program.
Requirements
5.1
Deploy
an0-­‐virus
so_ware
on
all
systems
commonly
affected
by
malicious
so_ware
(par0cularly
personal
computers
and
servers).
5.2
Ensure
that
all
an0-­‐virus
mechanisms
are
current,
ac0vely
running,
and
genera0ng
audit
logs.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
27

28. Achieving PCI Compliance
Requirement
6
Develop & Maintain Secure Systems & Apps
Descrip0on
Develop
and
maintain
secure
systems
and
applica0ons.
Goal
Maintain
a
vulnerability
management
program.
Requirements
6.1
Ensure
that
all
system
components
and
so_ware
are
protected
from
known
vulnerabili0es
by
having
the
latest
vendor-­‐supplied
security
patches
installed.
Install
cri0cal
security
patches
within
one
month
of
release.
6.2
Establish
a
process
to
iden0fy
and
assign
a
risk
ranking
to
newly
discovered
security
vulnerabili0es.
6.3
Develop
so_ware
applica0ons
in
accordance
with
PCI
DSS
and
based
on
industry
best
prac0ces.
6.4
Follow
change
control
processes
&
procedures
for
all
changes
to
system
components.
6.5
Develop
applica0ons
based
on
secure
coding
guidelines.
Prevent
common
coding
vulnerabili0es
in
so_ware
development.
6.6
For
public-­‐facing
web
applica0ons,
address
new
threats
and
vulnerabili0es
on
an
ongoing
basis
and
ensure
these
applica0ons
are
protected
against
known
aaacks.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
28

29. Achieving PCI Compliance Maintain a Vulnerability Management Program
R-6)
Develop and maintain secure systems and applications.
CradlePoint
Recommenda0on
Keep Device Firmware Updated with WiPipe Central
§ Rationale
– Hackers
use
security
vulnerabili0es
to
gain
privileged
access
to
systems.
– The
PCI-­‐DSS
2.0
document
recognizes
that
providers
of
system
component
(including
network
devices)
regularly
test
for
new
vulnerabili0es.
– Component
providers
regularly
issues
so_ware
upgrades
to
address
these
issues.
§ PCI Requirement 6.1
– Mandates
that
all
cri0cal
systems
must
have
the
most
recently
released,
appropriate
so_ware
patches
to
protect
against
exploita0on
and
compromise
of
cardholder
data
by
malicious
individuals
and
malicious
so_ware.
– Requires
that
cri0cal
so_ware
patches
must
be
installed
within
1
month
of
release.
§ WiPipe Central – Firmware Management
– WiPipe
Central
enables
each
device
group
to
have
a
firmware
version
selected
to
be
used
on
all
devices
in
the
group.
– Network
administrators
can
choose
the
firmware
version
for
a
given
group
to
use
by
selec0ng
it
from
the
list.
– The
facility
allows
the
firmware
version
to
be
downgraded
as
well
as
upgraded.
– If
any
devices
are
upgraded,
either
accidentally
or
without
authoriza0on,
WiPipe
Central
will
automa0cally
reverse
the
upgrade.
CradlePoint
P– x
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
roprietary
29

30. Achieving PCI Compliance Maintain a Vulnerability Management Program
R-6)
Develop and maintain secure systems and applications.
CradlePoint
Recommenda0on
Lock Down the Configuration with WiPipe Central
§ Centralized Configuration Management
– Enables
group
management
of
deployed
routers
– Group
configura0on
ensures
that
routers
are
consistently
configured
– Enables
central
control
of
device
configura0on
§ Prevent Unauthorized Changes
– If
individual
router
configura0ons
are
accidentally
or
maliciously
changed,
WiPipe
Central
detects
and
reverses
the
change
– Enables
administrators
to
ensure
that
router
configura0ons
are
“locked
down”.
§ Require Changes to be made through WiPipe Central
– Creates
and
audit
log
for
access
&
control
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
30

31. Achieving PCI Compliance
Requirement
7
Restrict Access to Cardholder Data
Descrip0on
Restrict
access
to
cardholder
data
by
business
need
to
know.
Goal
Implement
strong
access
control
measures.
Requirements
7.1
Limit
access
to
system
components
and
cardholder
data
to
only
those
individuals
whose
job
requires
such
access.
7.2
Establish
an
access
control
system
for
systems
components
with
mul0ple
users
that
restricts
access
based
on
a
user’s
need
to
know,
and
is
set
to
“deny
all”
unless
specifically
allowed.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
31

32. Achieving PCI Compliance
Requirement
8
Assign Unique IDs to Each Person w/ Access
Descrip0on
Assign
a
unique
ID
to
each
person
with
computer
access.
Goal
Implement
strong
access
control
measures.
Requirements
8.1
Assign
all
users
a
unique
ID
before
allowing
them
to
access
system
components
or
cardholder
data.
8.2
In
addi0on
to
assigning
a
unique
ID,
employ
methods
to
authen0cate
all
users:
password
or
passphrase,
token
device
or
smart
card,
biometric.
8.3
Incorporate
two-­‐factor
authen0ca0on
for
remote
access
(network-­‐level
access
origina0ng
from
outside
the
network)
to
the
network
by
employees,
administrators,
and
third
par0es.
8.4
Render
all
passwords
unreadable
during
transmission
and
storage
on
all
system
components
using
strong
cryptography.
8.5
Ensure
proper
user
iden0fica0on
and
authen0ca0on
management
for
non-­‐
consumer
users
and
administrators
on
all
system
components.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
32

33. Achieving PCI Compliance
Requirement
9
Restrict Physical Access to Cardholder Data
Descrip0on
Restrict
physical
access
to
cardholder
data
Goal
Implement
strong
access
control
measures.
Requirements
9.1
Use
appropriate
facility
entry
controls
to
limit
and
monitor
physical
access
to
systems
in
the
cardholder
data
environment.
9.2
Develop
procedures
to
easily
dis0nguish
between
onsite
personnel
and
visitors,
especially
in
areas
where
cardholder
data
is
accessible.
9.3
Make
sure
all
visitors
are
authorized,
given
a
badge,
and
badge
collected
on
exit.
9.4
Use
a
visitor
log
to
maintain
a
physical
audit
trail
of
visitor
ac0vity.
9.5
Store
media
back-­‐ups
in
a
secure
loca0on,
preferably
an
off-­‐site
facility,
such
as
an
alternate
or
back-­‐up
site,
or
a
commercial
storage
facility.
Review
the
loca0on’s
security.
9.6
Physically
secure
all
media.
9.7
Maintain
strict
control
over
the
internal
or
external
distribu0on
of
any
kind
of
media.
9.8
Ensure
management
approves
any
and
all
media
that
is
moved
from
a
secured
area
9.9
Maintain
strict
control
over
the
storage
and
accessibility
of
media.
9.10
Destroy
media
when
it
is
no
longer
needed
for
business
or
legal
reasons.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
33

34. Achieving PCI Compliance
Requirement
10
Regularly Monitor and Test Networks
Descrip0on
Regularly
monitor
and
test
networks.
Goal
Track
and
monitor
all
access
to
network
resources
and
cardholder
data.
Requirements
10.1
Establish
a
process
for
linking
all
access
to
system
components
(especially
access
done
with
administra0ve
privileges
such
as
root)
to
each
individual
user.
10.2
Implement
automated
audit
trails
for
all
system
components
to
reconstruct
the
various
important
events
named
in
the
Requirements.
10.3
Record
audit
trail
entries
for
all
system
components
for
each
event
as
defined.
10.4
Using
0me-­‐synch
technology,
synchronize
all
cri0cal
system
clocks
&
0mes
and
ensure
that
the
following
is
implemented
for
acquiring,
distribu0ng,
&
storing
0me.
10.5
Secure
audit
trails
so
they
cannot
be
altered.
10.6
Review
logs
for
all
system
components
at
least
daily.
Log
reviews
must
include
those
servers
that
perform
security
func0ons
like
intrusion-­‐detec0on
system
(IDS)
and
authen0ca0on,
authoriza0on,
and
accoun0ng
protocol
(AAA)
servers.
10.7
Retain
audit
trail
history
for
at
least
one
year,
with
a
minimum
of
three
months
immediately
available
for
analysis
(ie,
online,
archived,
or
restorable
from
back-­‐up).
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
34

35. Achieving PCI Compliance Regularly Monitor and Test Networks
R-10)
Track & monitor all access to network resources & cardholder data.
CradlePoint
Recommenda0on
Utilize an External SysLog Server
§ System Logs as an Audit Trail
– The
router
automa0cally
logs
(records)
events
of
possible
interest
in
its
internal
memory.
– The
log
op0ons
allow
you
to
filter
the
router
logs
based
on
categories,
allowing
customiza0on
of
the
types
and
level
of
events
to
record
and
the
level
of
events
to
view.
– System
logs
are
can
be
used
to
iden0fy
§ Unauthorized
login
aaempts
§ Unauthorized
configura0on
changes
§ Penetra0on
aaempts
§ Security
aaacks
§ Persistence Preserves the Audit Trail
– U0lize
the
WiPipe
Central
to
centrally
synchronize
and
store
the
system
logs.
– Alterna0vely,
the
router
can
be
configured
to
communicate
with
an
external
Syslog
Server
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
35

36. Achieving PCI Compliance Regularly Monitor and Test Networks
R-10)
Track & monitor all access to network resources & cardholder data.
CradlePoint
Recommenda0on
Utilize an External Time Server
§ Time Synchronization
– Configure
routers
to
communicate
with
an
external
Time
server
– Makes
it
more
difficult
to
change
system
logs
or
hide
aaacks
– Network
Time
Protocol
(NTP)
enables
the
router
to
synchronize
its
system
0me
with
a
remote
server
on
the
internet.
– NTP
is
an
important
part
of
using
System
Logs
to
accurately
monitor
PCI
Compliance.
§ NTP Server Options
– pool.ntp.org
– 0me.nist.gov
– 0me-­‐windows.com
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
36

37. Achieving PCI Compliance
Requirement
11
Test Security Systems and Processes
Descrip0on
Regularly
test
security
systems
and
processes.
Goal
Track
and
monitor
all
access
to
network
resources
and
cardholder
data.
Requirements
11.1
Test
for
the
presence
of
wireless
access
points
and
detect
unauthorized
wireless
access
points
on
a
quarterly
basis.
11.2
Run
internal
and
external
network
vulnerability
scans
at
least
quarterly
and
a_er
any
significant
change
in
the
network
(such
as
new
system
component
installa0ons,
changes
in
network
topology,
firewall
rule
modifica0ons,
product
upgrades).
11.3
Perform
external
and
internal
penetra0on
tes0ng
at
least
once
a
year
and
a_er
any
significant
infrastructure
or
applica0on
upgrade
or
modifica0on.
11.4
Use
intrusion-­‐detec0on
systems,
and/or
intrusion-­‐preven0on
systems
to
monitor
all
traffic
at
the
perimeter
of
the
CDE
as
well
as
at
cri0cal
points
inside
of
the
CDE,
and
alert
personnel
to
suspected
compromises.
11.5
Deploy
file-­‐integrity
monitoring
tools
to
alert
personnel
to
unauthorized
modifica0on
of
cri0cal
system
files,
configura0on
files,
or
content
files;
and
configure
the
so_ware
to
perform
cri0cal
file
comparisons
at
least
weekly.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
37

38. Achieving PCI Compliance
Requirement
12
Information Security Policy for Personnel
Descrip0on
Maintain
a
policy
that
addresses
informa0on
security
for
all
personnel.
Goal
Maintain
an
informa0on
security
policy.
Requirements
12.1
Establish,
publish,
maintain,
and
disseminate
a
security
policy.
12.2
Develop
daily
opera0onal
security
procedures.
12.3
Develop
usage
policies
for
cri0cal
technologies
(for
example,
remote
access,
wireless)
and
define
proper
use
of
these
technologies.
12.4
Ensure
that
the
security
policy
and
procedures
clearly
define
informa0on
security
responsibili0es
for
all
personnel.
12.5
Assign
to
an
individual
or
team
defined
informa0on
security
management
responsibili0es:
12.6
Implement
a
formal
security
awareness
program
to
make
all
personnel
aware
of
the
importance
of
cardholder
data
security.
12.7
Screen
poten0al
personnel
prior
to
hire
to
minimize
the
risk
of
aaacks
from
internal
sources.
12.8
If
cardholder
data
is
shared
with
service
providers,
maintain
and
implement
policies
and
procedures
to
manage
service
providers.
12.9
Implement
an
incident
response
plan.
Be
prepared
to
respond
immediately
to
a
system
breach.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
38

39. Achieving PCI Compliance
Summary of Recommendations
§ Step
1:
Segment
the
network
into
individual
“security
zones”
§ Step
2:
Configure
the
firewall
§ Step
3:
Lock
down
the
router
entry
points
§ Step
4:
Change
the
default
passwords
§ Step
5:
Minimize
resources
within
CDE
network
segment
§ Step
6:
Create
secure
WAN
connec0vity
§ Step
7:
Keep
device
updated
with
the
latest
firmware
using
WPC
§ Step
8:
Lock
down
the
configura0on
with
WiPipe
Central
§ Step
9:
Configure
communica0on
with
an
external
SysLog
server
§ Step
10:
Configure
communica0on
with
an
external
Time
server
§ Step
11:
Monitor
PCI
Compliance
with
WiPipe
Central
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
39

40. Achieving PCI Compliance
Achieving PCI Compliance
§ CradlePoint Enablers for PCI Compliance
– CradlePoint
routers
provide
several
features
to
enable
compliance
with
the
PCI-­‐DSS
2.0
requirements
– PCI
Compliance
requires
routers
to
be
properly
configured,
monitored
&
maintained.
– WiPipe
Central’s
PCI
Compliance
Monitoring
applica0on
enables
customers
to
demonstrate
compliance
in
real-­‐0me,
not
just
for
the
quarterly
or
annual
audits.
§ CradlePoint can Help
– The
“CradlePoint
Enablers
for
a
PCI
Complaint
System”
applica0on
note
provides
details
regarding
CradlePoint
features
and
capabili0es
that
have
been
used
by
other
customers
to
help
achieve
PCI
Compliance
for
their
end-­‐to-­‐end
systems.
– CradlePoint
professional
services
can
guide
customers
through
the
installa0on,
configura0on
and
monitoring
process
§ Proven Success
– CradlePoint
devices
are
u0lized
in
several
large-­‐scale,
PCI-­‐compliant
deployments.
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
40

41. Questions?
Ken Hosac
VP Business Development
Rudy Cedillo
Sr. Enterprise Support Engineer
webinars@cradlepoint.com
www.CradlePoint.com
www.cradlepoint.com/
4g-­‐3g-­‐network-­‐solu0ons/
www.cradlepoint.com
www.cradlepoint.com/WiPipe
case-­‐studies
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
41

42. Achieving PCI Compliance
Key Solution Features for PCI Compliance
§ PCI
Compliance
Monitoring
§ De-­‐Militarized
Zone
(DMZ)
applica0on
for
WiPipe
Central,
to
§ Virtual
Server
manage
configura0on,
firmware
updates
and
monitor
usage.
§ Ability
to
disable
WAN
services
(ping,
WNMP,
web-­‐based
mgmt,
etc)
§ Network
Segmenta0on
(Ethernet,
SSID
and
VLAN)
§ MAC
filtering
§ Ethernet
ports
(4)
that
can
be
§ Session
filtering
(non-­‐UDP/TCP/
individually
assigned
to
specific
ICMP)
segments
§ Layer
2
Tunneling
Protocol
(L2TP)
§ WiFi
SSIDs
(4)
that
can
be
§ VPN
Client
with
support
for
up
to
20
individually
secured
and
assigned
to
tunnels
(product-­‐specific)
specific
segments
§ IPSec
§ Virtual
LAN
support
and
tagging
§ GRE
(VLAN)
§ WiFi
security
(WPA/WPA2
Personal/
§ Stateful
Packet
Inspec0on
(SPI)
Enterprise,
AES/TKIP)
§ Network
Address
Transla0on
(NAT)
§ RADIUS
user
authen0ca0on
on
WiFi
§ Applica0on
Level
Gateways
(ALG)
§ SysLog
support
§ Inbound
filtering
of
IP
addresses
§ Aler0ng
CradlePoint
Proprietary
and
Confiden0al
|
©2012
CradlePoint
Inc.
|
All
rights
reserved.
|
Informa0on
subject
to
change
without
no0ce.
42