Storage

Learn how PCI affects Cisco network configuration

If your business accepts credit cards and you haven't yet had to get tough with your network security, you will eventually. David Davis explains how the PCI data security standards affect your Cisco router and switch security configuration.

Why should I care about the PCI data security standards (DSS)?

David DavisIf your company accepts credit cards as payment for goods or services, you should be aware of the Payment Card Industry (PCI) data security standards (DSS). These standards were created to protect the credit card information of all consumers. Even if you aren't a network admin affected by the PCI DSS, you, as a consumer, should still be concerned about credit card security. Frankly, the large corporations that accept millions of dollars in credit card payments should have long since met all the PCI security standards. However, there are many businesses that aren't at a level that they are required to be professionally audited. Also, the PCI DSS continues to be updated to be more specific about what is required to secure your network.

I have been required to fill out the PCI DSS self-assessment questionnaire, so I can tell you from experience that you may end up with more questions than answers after studying it. And once you delve into PCI security, you may find that the PCI data security standards can require critical changes to your network.

What does the PCI DSS 1.1 require of me as a network admin?

The PCI DSS 1.1 data security standard can be found in a 17-page document at the PCI DSS Web site. The document spells out what you need to do to protect the credit card data of your customers. For example, section titles are:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Except for "protect cardholder data," all of these are things that we should already be doing to protect our network -- whether we are required to comply with the PCI standards or not.

So without reading the entire document to learn more, what are things that you will need to do to protect your network and comply?

  • Implement a firewall at every Internet connection; have a formal process for change and a network diagram; document and justify open ports; and review firewall configuration and documentation quarterly. The firewall must be stateful and restrict traffic to only inbound traffic in the DMZ.
  • Create configuration standards for routers; require startup and running configuration of routers to be the same.
  • Install personal firewall software on all mobile computers that are used to access the organization's network.
  • Prohibit direct access from Internet to any computer that stores credit card data.
  • Do not use default passwords on wireless equipment and enable WPA or WPA2 (I would always use WPA2 if available). If you don't use WPA or WPA2, you can use IPsec or SSL/TLS. If you use WEP, then the DSS offer very specific requirements that must be met.
  • Disable all unnecessary services and remove unneeded functionality on servers.
  • Use only one server per function.
  • Encrypt all console access.
  • Encrypt transmission of credit card data across open public networks.
  • Never send credit card information via e-mail.
  • Use and regularly update antivirus software and use audit logging on all AV.
  • Install all security patches within one month of release.
  • Subscribe to a security vulnerability alerting service.
  • Assign a user ID to every person with computer access.
  • Implement two-factor authentication for remote access.
  • Encrypt all passwords as they traverse the network.
  • Immediately revoke user access for any terminated user; change user passwords every 90 days; and implement many more user-related requirements.
  • Restrict physical access to credit card data -- use card key systems at the data center.
  • Store backup tapes in a secure location.
  • Track and monitor all access to network resources (including audit trails).
  • Synchronize all critical system clocks.
  • Review AAA and IDS logs daily.
  • Test security quarterly using penetration testing through a qualified vendor.
  • Deploy file integrity monitoring.
  • Maintain a security policy (with many more details about that policy included in the DSS).

Wow, that is quite a list, right? Even if you are directly affected by PCI and even if you are a large corporation, I would guess that you are either not doing some of the things on this list or, at minimum, you struggle daily to keep up with the PCI requirements.

As I read this list, I think of so many Cisco router, switch, firewall, and wireless AP features that you need to implement. Perhaps you are already doing these, perhaps not.

These are just some of the features that I have written about that should help you to meet those tough PCI DSS requirements:

Besides "features" that you should enable, there are many more policy and procedure changes that must be implemented. Many times the procedural changes are more difficult to implement than the device security features.

Conclusion

Meeting PCI security requirements is very important to you if your business accepts credit cards for goods or services. Even if your business doesn't accept credit cards and is not affected by the PCI standards, these PCI data security standards require critical security features and procedural changes that we should all be implementing in our networks.

For more information on PCI as it relates to Cisco products, visit Cisco's PCI Solutions for Retail Web page.

David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT professionals and end users.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

10 comments
Mr. Content
Mr. Content

I wish there were a bigger focus on multivendor network-device PCI compliance; taking the Cisco-only approach really limits the applicability of the article content to any larger-scale multivendor environments (where the most compliance pain is being felt)

Photogenic Memory
Photogenic Memory

This is a great article. I'm sort of a simpleton. Anyways, my first assumption was that we have to start securing the PCI cards in the servers on the hardware level, LOL! Once again, a great article. Thank you.

wbaltas
wbaltas

Good article, it would also be good to point out that a lot of these requirements are simply good practice with or without PCI requirements.

ddavis
ddavis

Have any of you all been hit hard by network changes required to become PCI compliant? -David

lewko98
lewko98

The company I work for is mandated to comply to PCI standards, and its a struggle as PCI compliance can be a job in its-self (look at logs daily for auths and file integrity... to time consuming). We are looking to replace some of the older software we have in place for File Integrity monitoring and Network Access Control, can you or anyone recommend any?

Mr. Content
Mr. Content

VoyenceControl (now owned by EMC) for network change and configuration management, as well as PCI compliance.

brianmcmurdie
brianmcmurdie

I've implemented a couple different file integrity monitoring tools and have had great success in complying with PCI in this area. Namely: Tripwire and Solidcore. Solidcore has some amazing tools that can enforce security at the kernel level, whereas Tripwire is the industry standard for file monitoring (no prevention capabilities, though). Anybody know of others?

IT Guy with many hats
IT Guy with many hats

Are people who do part time jobs from home that accept credit cards for payment subject to these requirements also?

Mr. Content
Mr. Content

Check out the DSS spec to see what applies to you based on your transaction load and such; PCI has many different compliance levels, the requirements for which vary significantly depending on your CC transaction volume and $ totals.

Editor's Picks