If your business accepts credit cards and you haven't yet had to get tough with your network security, you will eventually. David Davis explains how the PCI data security standards affect your Cisco router and switch security configuration.
Why should I care about the PCI data security standards (DSS)?
If your company accepts credit cards as payment for goods or services, you should be aware of the Payment Card Industry (PCI) data security standards (DSS). These standards were created to protect the credit card information of all consumers. Even if you aren't a network admin affected by the PCI DSS, you, as a consumer, should still be concerned about credit card security. Frankly, the large corporations that accept millions of dollars in credit card payments should have long since met all the PCI security standards. However, there are many businesses that aren't at a level that they are required to be professionally audited. Also, the PCI DSS continues to be updated to be more specific about what is required to secure your network.
I have been required to fill out the PCI DSS self-assessment questionnaire, so I can tell you from experience that you may end up with more questions than answers after studying it. And once you delve into PCI security, you may find that the PCI data security standards can require critical changes to your network.
What does the PCI DSS 1.1 require of me as a network admin?
The PCI DSS 1.1 data security standard can be found in a 17-page document at the PCI DSS Web site. The document spells out what you need to do to protect the credit card data of your customers. For example, section titles are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Except for "protect cardholder data," all of these are things that we should already be doing to protect our network -- whether we are required to comply with the PCI standards or not.
So without reading the entire document to learn more, what are things that you will need to do to protect your network and comply?
- Implement a firewall at every Internet connection; have a formal process for change and a network diagram; document and justify open ports; and review firewall configuration and documentation quarterly. The firewall must be stateful and restrict traffic to only inbound traffic in the DMZ.
- Create configuration standards for routers; require startup and running configuration of routers to be the same.
- Install personal firewall software on all mobile computers that are used to access the organization's network.
- Prohibit direct access from Internet to any computer that stores credit card data.
- Do not use default passwords on wireless equipment and enable WPA or WPA2 (I would always use WPA2 if available). If you don't use WPA or WPA2, you can use IPsec or SSL/TLS. If you use WEP, then the DSS offer very specific requirements that must be met.
- Disable all unnecessary services and remove unneeded functionality on servers.
- Use only one server per function.
- Encrypt all console access.
- Encrypt transmission of credit card data across open public networks.
- Never send credit card information via e-mail.
- Use and regularly update antivirus software and use audit logging on all AV.
- Install all security patches within one month of release.
- Subscribe to a security vulnerability alerting service.
- Assign a user ID to every person with computer access.
- Implement two-factor authentication for remote access.
- Encrypt all passwords as they traverse the network.
- Immediately revoke user access for any terminated user; change user passwords every 90 days; and implement many more user-related requirements.
- Restrict physical access to credit card data -- use card key systems at the data center.
- Store backup tapes in a secure location.
- Track and monitor all access to network resources (including audit trails).
- Synchronize all critical system clocks.
- Review AAA and IDS logs daily.
- Test security quarterly using penetration testing through a qualified vendor.
- Deploy file integrity monitoring.
- Maintain a security policy (with many more details about that policy included in the DSS).
Wow, that is quite a list, right? Even if you are directly affected by PCI and even if you are a large corporation, I would guess that you are either not doing some of the things on this list or, at minimum, you struggle daily to keep up with the PCI requirements.
As I read this list, I think of so many Cisco router, switch, firewall, and wireless AP features that you need to implement. Perhaps you are already doing these, perhaps not.
These are just some of the features that I have written about that should help you to meet those tough PCI DSS requirements:
- Implement basic Cisco router security functions. See my article "Fundamentals: Five Ways to Secure Your Cisco Routers and Switches."
- Implement a Cisco router with CBAC or a Cisco PIX/ASA at every Internet access point. Keep in mind that you must use a stateful firewall -- not just a Cisco ACL will do. See my article "Protect Your Network with the Cisco IOS Firewall."
- To protect your router passwords as they traverse the network, enable SSH and disable telnet. See my article "Configure SSH on Your Cisco Router."
- Make sure you understand Cisco router security. See my article "How to Properly Secure Your Cisco Router with Passwords."
- Audit your network security using vulnerability scanners. There are a ton of free tools out there to help. For an example of one such tool, see my article "Audit Your Cisco Router's Security with Nipper."
Besides "features" that you should enable, there are many more policy and procedure changes that must be implemented. Many times the procedural changes are more difficult to implement than the device security features.Conclusion
Meeting PCI security requirements is very important to you if your business accepts credit cards for goods or services. Even if your business doesn't accept credit cards and is not affected by the PCI standards, these PCI data security standards require critical security features and procedural changes that we should all be implementing in our networks.
For more information on PCI as it relates to Cisco products, visit Cisco's PCI Solutions for Retail Web page.
David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Signal.com. Train Signal, Inc. is the global leader in video training for IT professionals and end users.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!