If your company stores, processes, or transmits the primary account number on a credit card then you are required to meet, or exceed, the data security standards set forth in the PCI security standards. These security requirements apply to all network components that forward or have access to card holder data. This would include switches, routers, firewalls, IPS, Servers, workstations, wireless, storage, etc. So basically, if the device is IP (Internet Protocol) reachable to cardholder data then it is in scope for the PCI requirements.
The PCI Security Standards Council released a new PCI security standard this month. This standards body is responsible for creating the mandatory security policies that anyone who stores credit card information must adhere to. This would include merchants, banks, and card processing companies. The goal is to secure credit card numbers and cardholder data from digital theft. The new standard is targeted at enhancing the security of Payment Card Applications. The new Payment Application Data Security Standard (PA-DSS) standard makes it the third standard the group has developed to help secure our credit card information from hackers. The PCI PIN Entry Device (PED) standard was also recently handed over the the PCI standards council. PED outlines the security requirements for all Personal Identification Number (PIN) based devices and transactions. BTW, the two previous standards are currently a work in progress.
The PCI standard that most of us are familiar with is the Payment Card Industry Data Security Standard or PCI DSS standard. Due to the hefty fines that are just starting to be levied in mass, companies of all sizes are scrambling to make their networks PCI DSS compliant. Based on this demand, Cisco has allocated considerable resources to helping customers understand PCI and how to best create a PCI ready network. To that end I wanted to showcase some of that info in this blog. This will help you get on your way to a PCI compliant network even faster.
First off, the PCI standard has 12 major requirements broken down into 6 separate categories called “control objectives”. Diagram 1 below shows the requirements:
These general requirements are then broken down into multiple sub-requirements.
Cisco has mapped its products and features to this list of requirements and sub-requirements. This enables its customers to quickly determine what products can be used for becoming PCI compliant. Fortunately, the most pervasively deployed Cisco device, the router, can be used to cover more PCI requirements than any other single device. The only catch is, it must be a Cisco router with a security feature set license.
Let’s take a look at just a Cisco Secure Router and how it can help with PCI. According to Cisco, “Cisco IOS® Software-based routers support wireless, voice, firewall, intrusion prevention, and traffic profiling applications as well as VPNs. They help to satisfy PCI requirements 1, 2, 4, 6, 10, 11, and 12.” Wow, a single router can help with 7 of the 12 PCI requirements. Nice!
There are several sites where you can get detailed Cisco and PCI information. Here are some of the most popular:
So those of you that have been through a PCI audit, what can the rest of us learn from you? Any tips for how to use Cisco gear to help with PCI compliance? Anyone been told by a PCI auditor that their “private” MPLS net is considered a public network for PCI and must be encrypted? I just had this happen to someone I know. Wondering if it is a trend.
The opinions and information presented here are my personal views not those of my employeer.
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
Private MPLS VPN (using layer 3 VRFs etc) compliance with PCI
My carrier MPLS uses Multi-Protocol BGP (MPBGP) and a full mesh of Label Switched Paths (LSP) between Provider Edge routers to provide self-healing, efficient routing. They use Route Distinguishers (RD) and Virtual Routing / Forwarding (VRF) as well. Is this MPLS network PCI compliant or do we need to further encrypt data to be compliant?