As with all technology, there are many different options and ways of addressing your network security. According to Requirement 1 of the PCI DSS, a merchant must “install and maintain a firewall configuration to protect cardholder data.” One point of confusion for many people is identifying the difference between a router and a firewall. A router is a device that is used to connect a Local Area Network (LAN) to a Wide Area Network (WAN). A router can also be used to break-down or segment a large LAN. Routers route data between networks, basically telling network traffic where to go.
Firewalls, on the other hand, are normally used to protect a secure network from a less secure network or protect your secure/private LAN from the internet. In order to meet specific PCI requirements, your firewall should be doing stateful packet inspection. Stateful packet inspection, also known as dynamic packet inspection, remembers the state of the TCP protocol. The firewall recognizes the allowed/approved inbound and outbound traffic, so if traffic is trying to come into your network that was not requested the firewall will refuse the traffic. Other things that are strongly recommended for comprehensive network security would include: Intrusion Prevention/Intrusion Detection systems, firewall traffic logging, anti-virus on the firewall to scan at the network perimeter and data loss prevention (to prevent the accidental transmission of unencrypted credit card numbers). (more…)
Change is on the horizon for MasterCard and Visa cardholders in the United States. Both brands announced that they will be updating their credit cards from the magnetic stripe to the chip-and-pin format. The U.S. is one of the last major countries to transition to the chip-and-pin format. Countries in Europe have been using the chip and pin method since 2005, as have Asia and South America. Canada plans to make the switch in the coming year.
The switch in formats has proved very effective for the United Kingdom where they have seen a significant reduction in credit card fraud. The U.K. Payments Administration stated that since the implementation of the chip-and-pin credit cards, in-store credit card fraud dropped from 218.8 million pounds in 2004 ($356.5 million) to 98.5 million pounds in 2008 ($160.5 million).
Unlike the magnetic stripe currently used on credit cards around the United States, these cards have a smart chip containing the cardholder’s information and each time you swipe the card you are required to enter a four-digit PIN that corresponds with a number inside the chip. (more…)
Requirement 2 of the PCI DSS: Do not use vendor-supplied defaults for system passwords and other security parameters
In the last SAQ 101 blog we covered Requirement 1 of the PCI DSS which talked about having a firewall properly configured to protect cardholder data within your network. Requirement 2 of the PCI DSS focuses on the inside of your network to ensure all devices that are in the cardholder environment are set up and configured properly and in a secure manner.
The first part of the requirement is 2.1 and it reads:
“Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.”
This step needs to be a high priority when implementing new devices into your cardholder environment. All vendor supplied usernames and passwords must be changed for every device before it is installed in your network. This is essential to securing your network because default usernames and passwords are easy to guess, can be found on the internet and shared in hacker communities. (more…)
PCI compliance can often be seen as a cumbersome and difficult process. Although this might be the case, there are a number of things that you as a business owner can do to gain a better understanding of the key areas where you can improve your business security and ultimately, simplify the process.
There are five key topics that often float to the top of the list when our team is in conversation with merchants: Wi-Fi, the firewall, scanning, the payment application and the acquirer/processor. We will take an in-depth look at each topic over the course of 5 blog installments, so that you can start creating the foundation to protect your business investment and your customers. The first key topic is Wi-Fi.
There are a couple different ways you can implement wireless in your business today. One way we typically think about is Wi-Fi Hotspot for public use. This will be used by your patrons to enhance their experience at your establishment. Today, offering free Wi-Fi for guests in the dining room or lobby area is becoming more and more common. That being said, you need to be aware about how it is configured and how it is implemented. Before implementing a public Wi-Fi network for your patrons you need to make sure that it does not touch the cardholder environment. (more…)
On Tuesday, March 13th, Microsoft released its Microsoft Security Bulletin Summary for March 2012. Amongst the usual list of smaller vulnerabilities was MS12-020, a critical vulnerability involving the Remote Desktop Protocol (RDP). While this may not affect many default Windows installations, it is a threat in most businesses due to RDP’s main function of allowing someone (admin, IT, etc.) to access a Windows system remotely.
The exploitability rating on the vulnerability is listed as a “1”, the most severe rating that Microsoft gives to a vulnerability listing. Microsoft estimated that a code to exploit the vulnerability would likely be out in the next 30 days. However, just three days after Microsoft’s bulletin, reports are out that a working exploit code has been published.
The main issue at hand is that a malicious user can gain access to a system without having to authenticate, allowing them to execute code remotely. This type of vulnerability often leads to the label of being “wormable”, meaning it is more susceptible to viruses via trojans and worms. (more…)