Best Practices to Limit Risk and Simplify Security
At a recent industry conference, one of the guest speakers stated that his company dealt with 84 different security vendors, which was not altogether surprising. Amid the Digital Transformation, many companies are adding service upon service, which can become very difficult to monitor and manage.
While many of these security tools are useful and necessary, even more important is ensuring the network’s architecture is simple and scalable and that basic best practices are being implemented with 100 percent compliance.
Critical areas that organizations should continually evaluate are their connectivity and hardware practices.
What Is The Payment Card Industry Data Security Standard (PCI DSS)?
The PCI Security Standards Council (PCI SSC) is a worldwide collaborative platform, uniting stakeholders in the payments industry. Its primary mission is to elevate global payment account data security by formulating and promoting the adoption of robust data security standards and resources, ensuring secure transactions on a global scale.
Major payment card brands (American Express, Discover, JCB, Mastercard, and Visa) have collectively established a comprehensive framework of security requirements known as the Payment Card Industry Data Security Standard (PCI DSS) to safeguard the confidentiality of credit and debit card information. Compliance with these standards is mandatory for all entities handling cardholder information or those capable of influencing the security of such information. Adherence to PCI DSS is essential across all processes and systems that have the potential to impact the security of cardholder data.
While PCI compliance is not a legal requirement, merchants accepting card payments are expected to adhere to PCI SSC regulations or risk being fined by the PCI SCC. It's important to note that PCI compliance is an ongoing commitment, requiring annual renewal and reassessment.
PCI compliance is categorized into different levels based on the annual number of transactions processed by a business.
- Level 1 Merchants: Process over 6 million transactions annually
- Level 2 Merchants: Process between 1-6 million transactions annually
- Level 3 Merchants: Process between 20,000-1 million transactions annually
- Level 4 Merchants: Process fewer than 20,000 transactions annually
To achieve PCI compliance, businesses must adhere to specific requirements outlined in the PCI DSS and complete the relevant PCI DSS Self-Assessment Questionnaire (SAQ) corresponding to their designated level.
Essential Requirements for PCI Compliance
- Install and maintain a firewall configuration to safeguard cardholder data.
- Avoid using default settings for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt the transmission of cardholder data over open, public networks.
- Utilize and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data based on business necessity.
- Assign a unique ID to each individual with computer access.
- Limit physical access to cardholder data.
- Monitor and track all access to network resources and cardholder data.
- Conduct regular testing of security systems and processes.
- Maintain an information security policy that encompasses all personnel.
Essential Role of Cellular Connectivity in Payments
Many stakeholders are choosing cellular IoT connectivity within the payments ecosystem to ensure resilient, dependable, and secure coverage for connected vending devices, whether attended or unattended, featuring embedded IoT SIMs.
Cellular data - inherently encrypted - offers an additional layer of security, and mobile network operators continually allocate resources to detect and address potential security vulnerabilities.
Sierra Wireless' Smart Connectivity and PCI Compliance
Sierra Wireless' Smart Connectivity ensures a seamless cellular network experience and secure access for payment solutions, actively monitoring core networks to prevent disruptions and maintain a remarkable 99.9% uptime. Additionally, the Smart Connectivity service by Sierra Wireless adheres to crucial PCI security requirements:
- Data Encryption: All data, whether in transit or at rest, is fully encrypted.
- Access Control: Access to infrastructure and data is meticulously restricted, logged, and subjected to regular audits.
- Security Patching: Servers and network infrastructure are consistently updated with the latest security patches.
- Security Audits: Regular internal, third-party, and specialized telecommunication security audits are conducted.
Sierra Wireless maintains a 24x7 Security Operations Center for continuous monitoring and immediate response to detected threats or vulnerabilities as part of its commitment to security and PCI compliance. The data centers and public cloud environments adhere to tier III and tier IV data center compliance standards for enhanced reliability.
Sierra Wireless utilizes the Center for Internet Security (CIS) v8 security control framework to assess compliance with the latest security best practices. The CIS framework is a globally recognized resource for cyber threat prevention and protection, offering best practices for securing IT systems and data.
Reviewing Hardware and Equipment for PCI Compliance
To ensure that your entire network - including all hardware and equipment - complies with PCI DSS, your organization should follow the below best practices. Since PCI compliance is an annual undertaking, routinely reviewing these steps and taking appropriate action will help make renewing your commitments a more streamlined process.
1. Keep An Inventory Of System Components
PCI DSS requires companies to keep an inventory of system components that are subject to PCI requirements. Here are a few key strategies for enforcing device visibility and, therefore, enabling an accurate inventory of system components:
Use several criteria to identify devices in addition to MAC and IP addresses, such as device IDs and system identifiers that use specific naming conventions.
Enable alerting and enforcement actions for devices attempting to plug into the network.
Regularly audit and maintain up-to-date and accurate network topologies (both logical and physical).
2. Ensure Routers Stay Updated With The Latest Firmware
PCI DSS requires merchants to use the latest firmware for all of their system components, including network routers. Keeping firmware up to date on network hardware can prove challenging for organizations — especially distributed enterprises with dozens, hundreds, or thousands of routers positioned over a large geographic area. Organizations that need to send someone on-site to update router firmware expend enormous resources doing so and cannot quickly deploy new firmware when vulnerabilities are discovered.
Conversely, organizations that use Cradlepoint’s cloud-delivered network management platform can easily group routers and deploy firmware uniformly across an entire router group in minutes, with just a few clicks, and without the cost and delays associated with sending a professional on-site.
3. Physically Secure Devices And Networks
Restricted physical access is a key, sometimes overlooked, network security element — regardless of PCI compliance requirements. According to current PCI Data Security Standards, any networking equipment, servers, or other hardware that are in scope or connected to the cardholder data environment must be kept in a locked, access-controlled room.
Restricting physical access to the network is a critical security practice for distributed enterprises. Consider, for example, a retail chain. At any individual store, the on-site employees are typically unfamiliar with security best practices and may never have met any of the company’s IT personnel. It is easy to see how a hacker could walk in with an official-looking uniform and an authoritative attitude and quickly gain physical access to the network.
4. Configure The Network Firewall For PCI Compliance
PCI DSS Requirement 1 states that the organization should install and maintain a firewall configuration to protect cardholder data. Here are a few important rules for ensuring the firewall is configured to support PCI compliance:
- Disable Universal Plug and Play (UPnP), which is a set of networking protocols that enable clients to allow traffic through the firewall without direct user interaction, which can allow unprivileged users to manipulate network configuration.
- Implement Stateful Packet Inspection (SPI) to monitor incoming and outgoing traffic and ensure that only valid responses to outgoing requests are allowed to pass through the firewall.
- Configure port forwarding rules to open ports on the firewall in a controlled manner for specific applications.
- Check source addresses with anti-spoof to protect against hackers that fake source addresses in packets to hide or impersonate another user.
- Establish a demilitarized zone (DMZ) for a layered approach.
5. Implement Parallel Networks For Third Parties And Risky Applications
The network will continue to grow in size and complexity for the foreseeable future. With the increasing adoption of IoT technologies, BYOD practices, and third-party vendors that need network access, consistently meeting PCI DSS requirements will require most organizations to look at how the network architecture either enables or, more likely, impedes efficient implementation of security practices.
Before adding yet another security service to what is likely already a long list of vendors, consider launching Parallel Networks for third parties and risky applications. By completely separating, or “air-gapping,” networks that serve applications such as guest WiFi and third-party vendor access, companies can vastly reduce the scope of PCI compliance and, therefore, the time and resources required to maintain the highest levels of security on the network. It also eliminates any dependence on third parties for maintaining compliance and controls that could impact cardholder data.
In turn, the enterprise can focus more closely on protecting the cardholder data environment — the network that, if breached, would pose some of the greatest risks to the organization’s overall health and success.
About MCA and Our CNS Team
MCA is one of the largest and most trusted integrators in the United States, offering world-class voice, data, and security solutions that enhance the quality, safety, and productivity of customers, operations, and lives. More than 65,000 customers trust MCA to provide carefully researched solutions for a safe, secure, and more efficient workplace.
Our Cellular Networking Solutions (CNS) team (formerly known as USAT) is made up of certified experts in designing and deploying fixed and mobile wireless data connectivity solutions for public and private enterprises nationwide - complete with implementation, training, proof of concept (POC), system auditing, and on-site RF surveying services with optional engineering maintenance contracts.
Our extensive catalog of world-class routers, gateways, and software designed for remote monitoring and management in even the harshest environments allows us to deliver a full suite of reliable technologies capped with a service-first approach.
Share this Post
