<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

Your Solution for PCI Data Compliance

July 15, 2015

Compliance is hard enough to obtain – much less maintain day in and day out.

Payment Card Industry, or PCI, compliance is no laughing matter. It involves personal data, including credit, finance and demographic information.

With more and more breaches occurring and the increased losses of personal information, PCI compliance should be a top priority. The latest statistics show that 71% of data breaches target small businesses and 60% of small businesses close within six months of experiencing a data breach.

The Payment Card Industry Data Security Standard (PCI DSS) standards for compliance were designed to decrease the risk of payment card fraud online while also protecting the credit information of its users.

According to the PCI DSS, the compliance standards are assessed by a “level”  and a scale from 1 to 4:

  • Level 1 - Merchants with over 6 million credit transactions a year

  • Level 2 - Merchants with 1 to 6 million credit  transactions a year

  • Level 3 - Merchants with 20,000 to 1 million credit transactions a year

  • Level 4 - Merchants with under 20,000 credit transactions a year

*note – Branded companies like Visa, Mastercard, Amex, Discover, etc. set their own compliance levels

Level 1 merchants are required to submit to:

  1. Annual onsite security audits under a qualified security assessor company

  2. An internal audit if signed by an officer of the company which has been pre-approved

  3. A quarterly network security scan record and review

Level 2, 3 and 4 merchants are required to submit to:

  1. An annual Self-Assessment Questionnaire

  2. A quarterly security scan and review by an Approved Scanning Vendor (ASV).

PCI DSS Version 3.1 was released April 15, 2015 and requires that all vendors and merchants upgrade to the newest Transport Layer Security (TLS) protocol no later than June 2016. Prior to this date, existing implementations that use Secure Sockets Layer (SSL) and/or early TLS must have a formal risk mitigation and migration plan in place.

Guidance on interim risk mitigation approaches, migration recommendations and alternative options for strong cryptographic protocols are outlined in the PCI SSC Information Supplement.

In PCI DSS levels, a security review is required with a full view of data for self-assessment and security evaluation.

The basic requirements for data safety include having a(n):

  • Firewall

  • Password upgrade policy

  • Policy for protection of card data

  • TLS encryption for any transfer

  • System of protection against malware attacks through secure systems, monitoring and access procedures

  • Access control system and records of access in and outside of network

  • “Need to know policy” of access authentication

  • Tracking and monitoring process of all access to data and data storage

  • Regular testing schedule of all above security requirements

  • Strict policy for protection of data, access and transfer

All of these security measures, which are required, need full access to a network’s data to function properly. This means that to provide the best security, an independent visual data plane delivered through a third party needs to be in place, such as passive network TAPs.

Seasoned network security managers often have at least 2 TAPs: one out-of-band, on the outside of their defense perimeter and another one inband, inside their security perimeter allowing them to see every bit and byte of data.

The the out-of-band TAP will monitor the different types of attack vectors so that they can prepare a remedy for a weakness in their outside security perimeter. The in-band TAP can witness and record any inside breach that so that remediation and reporting can take place rapidly.

Today’s networks need a safe visualization plane so that they can recognize attacks or aberrant behavior as soon as possible to stop data record losses and help organizations avoid the high fines being levied against companies that do not protect their customers’ sensitive personal data.

Data leaks can result in lawsuits and hefty fines for large firms and close down smaller businesses. Even worse, these costs multiply when the company that was attacked cannot produce a full record of lost data. The rule is generally that if a company cannot prove how many records were leaked, the ruling bodies must assume that all records in the system were compromised – this drives the fines up considerably.

I've written before that breaches are not a question of “if,” but rather a question of “when”. A good security team with a strong visibility plane will be able to save their company from deep fines while protecting their customers’ sensitive data.

The cost of a network visibility plane is significantly less than the fines and non-monetary costs a firm could experience – just think of the business lost by retailers like Target, Home Depot and more.

Network visibility is the first step into protecting your network data. A TAP is the perfect tool for building out a foundation of network access since it cannot be hacked and gives a real time view of every packet. With all of your data at your disposal, recognition of a violated security policy, malware attack or a breach should take no more than minutes.

Get the latest tipsheet from Tim O'Neill, "Top 10 Security Tips," and protect your home and business networks:

New Call-to-action

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES