Payment Card Industry Data Security Standard & Cisco Security Tec

Payment Card Industry Data Security Standard & Cisco Security Tec

The Payment Card Industry Data Security Standard (PCI DSS) is a standard for security mandated by most of the major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB. This standard applies to any organization that processes, stores, or transmits credit card information. This is not a standard required by federal law but rather mandated by the credit card companies and administered by the Payment Card Industry Security Standards Council. Some states, however, directly reference either PCI DSS or an equivalent standard in their laws.

The PCI DSS standard has 6 goals, divided into 12 requirements:

Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

  1. Use and regularly update antivirus software or programs.
  2. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need-to-know.
  2. Assign a unique ID to each person with computer access.
  3. Restrict physical access to cardholder data.

Regularly Monitor and Test Network

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for employees and contractors.

You will notice that PCI DSS has fairly simple requirements, but one important point to remember is that PCI data often uses the same network infrastructure as other data in an organization. If the PCI data is not segmented, the whole network needs to be PCI DSS–compliant, which increases the cost and complexity of compliance. Hence, while the standard itself does not explicitly call for it, it is important to segment PCI data from other data. Segmentation can be achieved with traditional methods such as access lists and VLANs or with newer technologies, such as TrustSec.

Table 1 maps PCI DSS goals to relevant Cisco security products and technologies.

Table 1 PCI DSS and Cisco Security Product/Technologies

PCI DSS Goal

Cisco Security Products/ Technologies

Build and Maintain a Secure Network

Cisco Firepower NGFW, Firepower NGIPS, ASA

Protect Cardholder Data

Cisco VPN technologies on NGFW, ASA, and routers

Maintain a Vulnerability Management Program

Cisco AMP

Implement Strong Access Control Measures

Cisco ISE, TrustSec

Regularly Monitor and Test Networks

NGFW, NGIPS, FMC, Stealthwatch

Maintain an Information Security Policy

N/A

 

Вас заинтересует / Intresting for you:

Cisco: Securing the Control Pl...
Cisco: Securing the Control Pl... 376 views Андрей Волков Sat, 04 Apr 2020, 07:09:39
Cisco: securing the Management...
Cisco: securing the Management... 330 views Андрей Волков Wed, 01 Apr 2020, 08:38:48
Network Security: Know Thy Ene...
Network Security: Know Thy Ene... 323 views Андрей Волков Sun, 22 Mar 2020, 13:30:53
Security Models review: Cisco ...
Security Models review: Cisco ... 789 views Андрей Волков Fri, 27 Mar 2020, 05:10:32