Merchants 5 Step Guide
To PCI Compliance

   Step 1: An Introduction to PCI Compliance

   Step 2: Finding PCI DSS Level

   Step 3: Security Audits: 12 Requirements

   Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)

   Step 5: Completing the PCI DSS Self Questionnaire


 ISO / Acquirers 5 Step Guide
To PCI Compliance

   Introduction

   Step 1: Engage all resources

   Step 2: Identify and confirm a partner

   Step 3: Make your merchants aware of PCI Compliance

   Step 4: Supply tools to merchant

   Step 5: Implement and track

   Other considerations


 PCI COMPLIANCE
INFO

   New PCI Compliance 1.1 Standards

   PCI Compliant Basics

   PCI Compliance & Consumers

   Implementing PCI Compliance

   PCI Compliant Scan

   Further PCI Compliance Resources

   PCI Compliance Polls & Surveys


 PCI COMPLIANT
VENDORS

   Find PCI Scan Vendors

 About Us

   Contact Us

   PCI Compliance News

   SiteMap

   SSL Certificate

   EV SSL Certificate Guide






Network Security

With the advent of both wired and wireless networks to manage POS environments, it is imperative that sufficient security controls are in place to ensure that the network is correctly configured.

As previously mentioned, activity logging must be in place that follows PCI DSS, and merchants should strive for the detection and removal of all network devices with default passwords, including routers.

Hackers working over the Internet readily find default passwords, and many times the wireless routers come complete with vendor default passwords and default Ids.

Strong encryption, across the network, is needed in order stop intrusions, as well as a properly configured system.

If a system is not configured properly, a hacker can be in the vicinity of a wireless network and-if the wireless network is not configured properly-that hacker can gain access to the network and find the encryption key. Once that happens, any sensitive data within that network is potentially compromised, especially if the merchant uses weak encryption algorithms. Don't underestimate the old fashioned way of stealing information-physical access to the POS terminal, and/or the network. Even your most basic high school student knows the benefits of devices such as flash drives, and there are many other devices that can be physically attached to an open network port, in order to collect the data traveling between the POS terminal and the Host. It can happen from an outside source, or it can happen when someone on the outside knows an employee on the inside. This is what happened in the TJX breach, and the company is now facing several civil lawsuits for the security breach. "A lot of POS devices, that could be yanked out of holders pretty easily, can contain several hundred credit card numbers in them," said Rich Mogull, former IT security analyst with Gartner, who now owns his own security consulting firm, Securiosis.com, during a weekly Internet broadcast entitled The Network Security Podcast. "You can look at the back of some of the POS devices, and they can have plug in modules that people can take advantage of," he remarked.

"People forget that the employees that have access to POS terminals are sometimes in low paying jobs, and they have access to these things,"

He continued, "I mean, no offense to anyone, but you don't have to be the most qualified individual in the world to work at a cash register, so it's easy enough if someone wants a part-time job, to get in and gain access to those."

Merchants should follow the PCI DSS, in relation to properly storing, processing and transmitting cardholder data, and the merchant's network should follow these CISP bulletin guidelines:
  • Limit access to the network to known devices.
  • Do not allow direct Internet access to the POS system, by installing a firewall separating the Internet and the POS system.
  • Reject any unauthorized devices attempting to connect to the network.
  • Change all default passwords and IDs on all network management devices.
  • Implement proper network segmentation, separating the payment processing devices from all other systems like email and web browsers.
  • Implement Wi-Fi Protected Access (WPA) encryption, wherever WPA is supported, over Wired Equivalent Privacy (WEP).
  • Enable firewall logs that can hold up to 12 months of information, and review firewall rules, to ensure that unnecessary ports are disabled, for both inbound and outbound connections.
  • Install and maintain firewalls at all times.
Though PABP is not mandatory, given the tremendous security breaches that continually pop up in the news headlines, it makes sense-both fiscally and objectively-to work with a POS vendor, reseller, ASV, and/or a QPASP to rectify any POS security issues. Jaime Chanaga, chairman & CEO of The CSO Board LLC, Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Auditor (CISA), also believes that it is a best practice to follow both PCI DSS and PABP.

In a May 11 post on his professional blog, Mr. Chanaga wrote the following: "If your business is using payment processing software applications that are not certified under PABP, per Visa's stance your business will fail PCI compliance status." "With fines up to $500,000 (USD) for each incident of non-compliance with PCI guidelines, it is in the best interest of all businesses subject to PCI compliance to heed the PCI and PABP guidelines."


|  Home  |  About PCI Compliance |  For Acquirers |  Find PCI Compliance Solutions | 
|  Preventing Data Breaches |  Managing Data Breaches |  Contact Us |    EV SSL Certificate Guide | 
© 2008 PCI Compliance Guide.org
   All right reserved - do not copy any material without written permission.