BestPracticesforPCIDSSV3.

0
NetworkSecurityCompliance


January2015

www.tufin.com

TableofContents

PreparingforPCIDSSV3.0Audit.........................................................3
ProtectingCardholderDatawithPCIDSS..................................................3
ComplyingwithPCIDSSNetworkSecurityChallenges.............................4
SevenPCIBestPracticesforNetworkSecurity.....................................5
SettingHighSecurityStandardforOngoingSuccess............................6
QuickPCIDSSNetworkSecurityChecklist...........................................8

2/9


PreparingforPCIDSSV3.0Audit
Creditcardfraudisagrowingthreattobothfinancialinstitutionsandretailorganizations.Different
methodsandtechnologiesweredevelopedthroughouttheyearstomitigatethisrisk.In2004,the5
majorUScreditcardcompaniescooperatedtoimplementastandardtocounterthethreattogether.
ThenewunitedstandardiscalledPaymentCardIndustryDataSecurityStandard(PCIDSS).
ThegoalofPCIDSSistoencourageandenhancecardholderdatasecurityandfacilitatethebroad
adoptionofconsistentdatasecuritymeasuresglobally.Itprotectsagainstcreditcardfraudand
securitythreatsbyprovidingabaselineoftechnicalandoperationalrequirementsdesignedto
protectcardholderdata.
ThemostrecentversionofthestandardisV3.0,replacingV2.0thatendslifeinDecember2014.
Therefore,plansforcomplyingwiththeupgradedstandardandensuringthattheenterprisenetwork
isauditreadyisapressingconcernofmanyITmanagersandPCIinternalauditorstoday.

ThispaperprovidesinformationtoITmanagersandPCIinternalauditorsforunderstandingnetwork
securityneedsandbestpracticesaroundcreditcardthreatsandtherelatedrequirementsforPCIDSS
V3.0audits.TufinsnetworksecurityexpertiseenablesexcellentsupportforPCIinternalauditors,IT
managersandtheirnetworkoperationteamstodesign,planandintegratethechangesrequiredfor
PCIDSScomplianceintobusinessasusualactivities.TufinssolutionsupportsITmanagersandPCI
internalauditorstolessentheircomplianceheadache.

ProtectingCardholderDatawithPCIDSS

ThePCIDSSdefines12highlevelrequirements,groupedinto6controlobjectives.Tocomply,PCI
internalauditorsorITmanagersperformperiodicauditsevery6months(3monthsrecommended).
Auditsdemonstratecompliancevianumeroustestingproceduresandsubrequirements,asseenin
thetable:

PCIDSSControlObjectivesRequirementDescription

BuildandMaintainaSecure 1.Installandmaintainafirewallconfigurationtoprotectcardholderdata
Network
2.Donotusevendorsupplieddefaultsforsystempasswordsandothersecurity
parameters
ProtectCardholderData 3.Protectstoredcardholderdata

4.Encrypttransmissionofcardholderdataacrossopen,publicnetworks

MaintainaVulnerability 5.Protectallsystemsagainstmalwareandregularlyupdateantivirussoftwareor
ManagementProgram programs
6.Developandmaintainsecuresystemsandapplications

ImplementStrongAccess 7.Restrictaccesstocardholderdatabybusinessneedtoknow
ControlMeasures
8.Identifyandauthenticateaccesstosystemcomponents

9.Restrictphysicalaccesstocardholderdata

RegularlyMonitorandTest 10.Trackandmonitorallaccesstonetworkresourcesandcardholderdata
Networks
11.Regularlytestsecuritysystemsandprocesses

3/9


MaintainanInformation 12.Maintainapolicythataddressesinformationsecurityforallpersonnel
SecurityPolicy

ThemainPCIDSSprinciple:Cardholderdataisonlyassecureasthepathwaysthatprovideaccessto
it.Ontheonehand,PCIDSSrequirementsaredesignedtoensurethatnetworksecuritypractices
eliminateorminimizeknownrisks.Ontheotherhand,theyensurethattheorganizationdefineswell
structuredpolicies,proceduresandpracticesthatcanbetrackedandaudited.Toensurebothsecure
datapathwaysandadherencetostrictnetworksecuritypolicies,PCIDSSrequires:
Specificguidelinesforprocessingcardpaymentstohelppreventcreditcardfraud,skimming
andothersecuritythreats
Aligningwiththeindustrybestpracticestoincreasethetrustofbothcustomersand
partners
Limitingexternalnetworkaccesstosensitivedata,combinedwithaformalprocessfor
monitoringallchangestofirewallconfiguration
Trackingandauditingoffirewalloperationsregularly,includingcleardefinitionsofrolesand
responsibilities
Strictlylimitinginternalorganizationalaccesstosensitivedata
Documenting,enforcingandauditingalloperationalproceduresandpractices

Insummary,PCIDSSdemandsthatorganizationsmaintaincontinuouscompliancethroughan
ongoingprocessof:Assess,RemediateandReport.1Tocomply,yourITorganizationmusthavean
accuratepictureofyourcomplianceposture,thetoolstoaddressissues,andtheabilityto
demonstratecompliancethroughinternalandexternalaudits.

ComplyingwithPCIDSSNetworkSecurityChallenges
About40%ofPCIDSSisrelatedtonetworksecurity,butthisisreallythecruxoftheheadache,
pitfallsanddisturbanceforPCIinternalauditors,ITmanagersandtheirteams.

Fornetworksecurityteamstointegratearepeatablecomplianceprocedurethatdoesntdisrupt
businessasusual,itssimplynotfeasibleforITmanagersandPCIinternalauditorstomanually
manageandtest.ThemanyITtasksinvolvedindocumenting,trackingandauditingnetworksecurity
proceduresmanuallycantakeweeks.Thenumeroussecuritydevices(firewalls,routersandothers),
witheachdevicemanaginghundredstothousandsofrulesmakesforanextremelycomplex
enterprisenetworkenvironment.Toensurecompliance,theteammusthaveaclearvisibilitytothe
networktopology,theroutingflowofdataaroundthenetwork,andthesettingofallsecuritydevices
(astherearemanypathstomovebetweennetworksegments,andallpathsshouldbeconfigured
basedonthedesiredpolicy).Therefore,PCIDSScompliancerequirestherightsetoftoolsand
automatedsolutionsforvisibility,alertingandquickbreachfixes.

1
https://www.pcisecuritystandards.org/security_standards/getting_started.php

4/9


SevenPCIBestPracticesforNetworkSecurity
SincePCIDSSisthedefactostandardthatanycompanyprocessingcreditcardsmustcomplyto,IT
managersandPCIinternalauditorscontinuallyaligntheirenterprisesecurityprogramtoachievethis
goal.
BeforegettingintothePCIDSSrequirementdetails,itsgoodtolookatwhatsworkedatmany
enterprisestoenforceandremediatePCInetworksecuritycompliance.Tufinnetworkingexperts
gatheredvaluablelearningandbestpracticesfromtheirPCIimplementationexperience.IfIT
managersandPCIinternalauditorsdoitright,theirworkonPCIcompliancecanalsobeaspringboard
fortheirorganizationintocontinuousnetworksecurityandmoreeffectiveworkprocesses.
Tufins7bestpracticesfornetworksecuritycomplianceare:
1) CreateaclearseparationofPCIdata,PCIapplication,andPCIwebwithinthenetwork(DMZ,
InternalandInternet)
2) EnsurethatyouhaveanetworkchangeworkflowprocessinplacethatmeetsPCI
requirements
3) Ensurethateverynetworkchangehasacompleteaudittrailwiththewho,what,when,
andwhy
4) Validateeverynetworkchangewiththefollowing:
a. Analyzethechangeforrisksasdefinedinyoursecuritypolicy
b. Getapprovalbythebusinessowner
c. EnsurethechangesareimplementedaccordingtothePCIcompatiblenetwork
changeworkflow
5) EnsurethatfirewallsprotectingPCIzonesworkwiththefollowingguidelines:
a. Everyrulehasacomment
b. Everyrulehasalog
c. NoruleswithAnyintheSrc,Dest,andSrv
d. Noruleswithriskyservices(unencrypted)
e. Deleteunusedrules
6) Ensureeveryfirewallruleisdocumentedproperlywiththefollowinginfo:
a. Businessjustification
b. Businessowner
c. Applicationname
7) Ensurethatyoukeepfirewalllogsforatleast12months

5/9


SettingHighSecurityStandardforOngoingSuccess
PCIDSSV3.0compliancecanbeagreatopportunitytogetthebuyinandbudgetstoensure
networksecurityisgearedforongoingsuccessForITmanagersandPCIinternalauditorstoset
high,sustainablesecuritystandards,Tufinexpertssuggestpayingspecialattentiontofivesub
requirementswithinPCIDSSrequirement1.
WhenITmanagerstakeabroaderlookatPCIrequirement1,notjustwithaneyeongettingPCI
compliance,theserequirementsopenthedoorforimplementingongoingnetworksecuritysolutions.
Otherwise,theytendtobeproblematicsincetheyrelyonmanualprocessesthatnolongerscaleto
meettheneedsofthebusinessanincreasinglycommonscenario.
Inanycase,merchantswithlargefirewallestatesneedtoautomatefirewalloperationstomeet
businessreality.Whilelargescaledeploymentsarealwaysintense,introducingsomelongterm
improvementsthatalignPCIcomplianceeffortswithyourorganization'sspecificsecurityneedscan
beagoodwaytomaketheeffortevenmoreworthwhileandhavelongtermeffectontheenterprise.
ToovercomethecommonnetworksecurityandPCIDSScompliancechallenges,ITmanagersandPCI
internalauditorscangaininsightsbydrillingdowninto5requirements.Additionalbestpracticesfor
focusingeffortsonachievingbothcomplianceandongoingsuccessarerevealed:

1.1Verifythatthereisaformalprocessfortestingandapprovalofallnetworkconnectionsand
changestofirewallandrouterconfigurations.
PCIinternalauditorsneedtoshowthataclearlydefined,enforceablechangeprocessforfirewall
policiesexists.ThePCIexternalauditorwillasktoseeachangereportwithafullaudittrail,andthen
selectsomerandomchangesandrequesttoseethesignoff.
TheChallenge:Manyorganizationsstilldon'thaveachangeprocessinplaceor,iftheydo,itstoo
looseorreliesongoodwillratherthanformalprocedures.
BestPractice:Thebestwaytoimplementformal,auditablechangeprocessesistobyusingan
adequatetoolforthetask.

1.1.5Documentationandbusinessjustificationforuseofallservices,protocols,andportsallowed,
includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobe
insecure.Examplesofinsecureservices,protocols,orportsincludebutarenotlimitedtoFTP,Telnet,
POP3,IMAP,andSNMP.
Thissubrequirementisconcernedwiththreemainrisks:

1. Aretheconnectionsrequiredforbusinessknown?
2. ArefirewallsimplementingthePrincipleofLeastPrivilege?Allowingonlyconnectionsthat
arerequiredforbusiness?
3. Areanyoftheseconnectionsinsecure?Docompensatingcontrolsforthemexist?
TheChallenge:Mostorganizationsdon'thaveanuptodatelistofservicesthatarerequiredfor
business.Inthebestcase,documentationperfirewallruleexists.Mostlikelysomeconnections
containinsecureservices(NOTE:ForPCI,thelistisopentointerpretationbytheauditor).
BestPractice:ITmanagersneedtomakesuretheyknowabouteachoftheseservicesinadvance
withrelevantjustificationsfromasecurityperspective.

1.1.6Requirementtoreviewfirewallandrouterrulesetsatleasteverysixmonths

6/9


ITmanagersandPCIinternalauditorsneedtohaveproofthataprocessexistsandworkingtomeet
thisrequirement.Complyingwiththisrequirementusuallyentailshavingareporttoshowrulesets
wereinfactreviewed,andthatanyquestionablerulesfromthelastauditwereaddressed,andthat
anychangestorulessincethelastauditweredealtwithproperly(i.e.oldornoncompliant
rules/objectsweredealtwith).
BestPractice:Aroundonethirdofcompaniesfailtoprovidetherequireddocumentationtosatisfy
thePCIexternalauditoronthispointbecauseofpoorprocesses.Therefore,ensureyourprocesses
areuptodateandfunctioning.

1.2.1Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdata
environment

UsuallythePCIexternalauditorislookingforasetofrulesthatpermitspecificPCIservices(approved
knownprotocolsusedbythePCIservers)followedbyanexplicitdropruleforallothertraffic.
Exceptionsmustincludeproperdocumentation(suchasrulecomments)thatmakessensetothe
auditor.
BestPractice:Aroundonequarterofbusinessesfinditdifficulttocorrectlyrestrictinboundaccess;
settingexplicitdroprulesismucheasier.ProperdefinitionofPCIservicesandPCIzonesmake
compliancemuchsimpler.SoitsimportanttoensurethatthePCIexternalauditoragreestothe
contentsofPCIservicesandPCIzones.
IfITmanagersandPCIinternalauditorscanprovethatanactivealertingmechanismtopreventnon
compliantchangesexists,theenterpriseisauditready.

1.3.2LimitinboundInternettraffictoIPaddresseswithintheDMZ

ITmanagersneedtoallowtrafficfromtheInternettospecificservers(IPAddresses)intheDMZ
everythingelseshouldbedropped.ProperdefinitionoftrafficthatisInternet(i.e.allnonlocalIP
addresses)andproperdefinitionoftheaccessibleIPswithintheDMZarecriticalforcompliance.Plus,
thePCIexternalauditormustagreethatdefinitionsarecorrect.
BestPractice:Ifdefinitionsareinplace,anactivealertmechanismforunauthorizedtrafficiswhats
neededforITmanagerstoensurenetworksecurity.

1.3.3DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetand
thecardholderdataenvironment

Todothis,networkoperationteamsneedtoproperlydefinethe'Internet'and'cardholderdata'
environments,orinotherwords,createnetworksegmentationsthatcanbeisolated.ThePCI
externalauditorwantstoseethatthereisnodirectaccessbetweentheseentities,andthatthereis
properevidenceforthis.
BestPractice:IfITmanagersdocumentandmanageaccesswiththerighttools,PCIDSSauditing
becomespartoftheeverydayITandbusinessactivities:
1) Ensuredocumentationisready
2) Proveseriousaboutmaintainingcompliance

7/9


QuickPCIDSSNetworkSecurityChecklist
ITmanagersandPCIinternalauditorscanusethePCIDSSNetworkSecurityChecklistforpreparing
foraudits.ThechecklistsummarizesthePCIDSSrequirementsrelatedtonetworksecurity.Ifbest
practicesfornetworksecurityhavebeenimplementedintheorganization,thePCIDSSaudit
becomesahealthyroutineversusacomplianceheadache.
TomeetthePCIDSSrequirementsrelatedtonetworksecurityinanefficient,quick,manageableway
forongoingsuccess,TufinsPCIDSSV3.0Solutionhelpsgrowingorganizations:

PCIDSSObjectiveNetworkSecurityChecklist TufinsPCIDSSSolution
1.1Establishandimplementfirewalland routerconfiguration Automates&documentsall
Buildandmaintaina
securenetwork standardsthatincludethefollowing:Inspectthefirewalland firewall&routerconfiguration
routerconfigurationstandardsandotherdocumentation changes,PCIfirewall&router
specifiedbelowandverifythatstandardsarecompleteand checks,PCIrequirements
implementedasinsubrequirements deviationdetection&reporting
1.1.1Aformalprocessforapproving andtestingallnetwork Automates&documentsall
connectionsandchangestothefirewallandrouter firewall&routerconfiguration
configurations changes

1.1.2Currentnetworkdiagramthatidentifiesallconnections PCIzonemapping&network
betweenthecardholderdataenvironmentandother topologymap
networks,includinganywirelessnetworks
1.1.4Requirementsforafirewallat eachInternetconnection PCIfirewall&routerchecks,PCI
andbetweenanydemilitarizedzone(DMZ)andtheinternal requirementsdeviationdetection
networkzone &reporting
1.1.6Documentation andbusiness justificationforuseofall
PCIcompliancereport
services,protocols,andportsallowed,including
documentationofsecurityfeaturesimplementedforthose
protocolsconsideredtobeinsecure.
1.1.7Requirementtoreviewfirewall androuterrulesetsat
PCIcompliancereport
leasteverysixmonths
1.2Buildfirewallandrouter configurationsthatrestrict PCIfirewall&routerchecks,PCI
connectionsbetweenuntrustednetworksandanysystem requirementsdeviationdetection
componentsinthecardholderdataenvironment. &reporting
1.3ProhibitdirectpublicaccessbetweentheInternet and Centralnetworkmanagementfor
anysystemcomponentinthecardholderdataenvironment firewall&routertorestricttraffic
(1.3.11.3.8) betweenInternet&PCIzone
Donotusevendor 2.2.3Implementadditionalsecurity featuresforanyrequired
Checkseveryservicefor
supplieddefaultsfor services,protocols,ordaemonsthatareconsideredtobe
compliancewithregulationpolicy
systempasswords insecuree.g.,usesecuredtechnologiessuchasSSH,SFTP,
andothersecurity SSL,orIPSecVPNtoprotectinsecureservicessuchasNetBIOS,
parameters filesharing,Telnet,FTP,etc.
2.4Maintainaninventoryofsystem componentsthatarein CMDBlikecapabilitiesforserver
scopeforPCIDSS. networkconnectivity
2.6Sharedhostingprovidersmust protecteachentitys Automates&documentsall
hostedenvironmentandcardholderdata.Theseproviders firewall&routerconfiguration
mustmeetspecificrequirementsinAppendixA:AdditionalPCI changes,PCIfirewall&router
DSSRequirementsforSharedHostingProviders checks,PCIrequirements
deviationdetection&reporting
6.2Ensurethatallsystemcomponentsand softwareare
Developand Softwarecomparisonreport
protectedfromknownvulnerabilitiesbyinstallingapplicable
maintainsecure
vendorsuppliedsecuritypatches.Installcriticalsecurity
systemsand
applications patcheswithinonemonthofrelease.

10.1Implementaudittrailstolinkallaccesstosystem Firewall,router&loadbalancer
Trackandmonitorall
componentstoeachindividualuser. audittrail&changereports
accesstonetwork

8/9


resourcesand 10.3Recordaudit trailentriesforallsystemcomponentsfor Tracks&monitorsallfirewall,

cardholderdata eachevent router&loadbalancerchanges

10.5Secureaudittrailssotheycannotbealtered ReadOnly,encrypted
10.7Retainaudittrailhistoryforatleast oneyear,witha Backup,Storeaudittrail&
minimumofthreemonthsimmediatelyavailableforanalysis configurationchangesfor12
(e.g.,online,archived,orrestorablefrombackup). months,Reports

Insummary,TufinsPCIDSSV3.0SolutionbenefitsPCIinternalauditorsandITmanagersforPCI
DSScompliancewith:

OutoftheboxPCIDSSauditreport,makingiteasytopreparequicklyandthoroughlyforan
internalorexternalaudit
ITSMlikechangeandapprovalprocesses(integratedtoyourcurrentITSMprocess)
Uptodatepictureofthecompliancestatusofyourfirewallsandrouters
Continuouschangetrackingandalertingthatmonitorsallfirewallpolicychanges,andalertsto
potentialviolations
Simpleandflexibletodefinethenetworkzonesfornetworksegmentation
Identifymismatchbetweenfirewallrulesandthedesiredfirewallsecuritypolicy
Securityruledocumentationassociatingbetweensecuritypolicyrulesandtheirbusiness
justification
Completeaudittrailofwhomadeeachchangetoyournetworkdevices

Formoreinformationoranyquestions:
TufinsubjectmatterexpertsareopentotalkaboutyourpressingPCIDSSV3.0complianceconcerns.
FeelfreetodirectlycontactTufinsPCIexpertsatemail:PCIDSS@tufin.com.

LearnmoreaboutTufinsOrchestrationSuiteandTufinsPCIDSSV3.0Solutionatwww.tufin.com.

Copyright 2015 Tufin

Tufin, Unified Security Policy, Tufin Orchestration Suite and the Tufin logo are trademarks of Tufin. All other product
names mentioned herein are trademarks or registered trademarks of their respective owners.

9/9