Cisco PCI Solution For Retail 2.0 Design Guide
Cisco PCI Solution for Retail 2.0 Design Guide
About the AuthorsSolution AuthorsChristian Janoff, Vertical Solutions Architect, CMO ISE, Cisco SystemsChristian Janoff is a Retail Architect at Cisco Systems. with over 15 years of industryexperience. Christian leads Cisco's participation on the Payment Card Industry Security Standards Council. He was elected to the PCI Council's Board of Advisors in May,2009. Prior to Cisco, Christian worked as a network engineering manager at Safeway,Inc. Christian holds a bachelors degree from University of California at Santa CruzChristian JanoffBart McGlothinBart McGlothin, Vertical Solutions Architect, CMO ISE, Cisco SystemsBart is a Retail Architect at Cisco Systems. With over 15 years of industry experience,Bart leads Cisco's involvement with the National Retail Federation's Association forRetail Technology Standards Committee. Prior to Cisco, Bart worked as the NetworkArchitect at Safeway, Inc.Partner AuthorsRob McIndoeAaron ReynoldsContributors2Mike AdlerTom HuaMark AllenRaymond JettAnnette BlumManny KamerRenata BudkoRekha KrishnaJohn CarneyPaul LysanderDanny DhillonFernando MaciasMichael DuganBob NusbaumZeeshan FareesManu ParbhakarCarol Ferrara-ZarbVikram PrabhakarSyed GhayerJim RintoulSujit GhoshBrian RobertsonManisha GuptaAngel ShimelishJamey HearyRick SimonGary HalleenMaria SisirucaStuart HigginsSheri SpenceAmanda HoldanGreg Varga
CONTENTSCHAPTER1Solution Overview1-1Executive Summary1-2Target Market/AudienceSolution BenefitsPCI Solution ResultsCHAPTER21-31-31-4PCI and the Solution Framework2-1PCI DSS 2.0—New Reporting GuidelinesMaintaining PCI Compliance2-2Cardholder Data Environment and ScopePCI Best Practices 2-4Scope Maintenance2-22-32-4Cardholder Data Environment—Scope Layers 2-6Endpoints and Applications 2-6Point-of-Sale 2-6E-commerce and Public-facing Websites 2-6Voice 2-6Physical 2-6E-mail 2-6Scope Administration 2-7People 2-7Processes 2-7Storage of Sensitive Information 2-7Monitoring 2-7Infrastructure 2-7Architectural Sampling 2-8Partners 2-8Service Providers 2-8Internet 2-8PCI Solution Framework 2-8Endpoints and ApplicationsScope Administration 2-9Infrastructure 2-9Services 2-92-9Cisco PCI Solution for Retail 2.0 Design Guideiii
ContentsCHAPTER3Solution Architecture3-1Enterprise Architecture and PCI Design Considerations 3-2Store Architecture 3-3Design Considerations 3-3Data Center 3-6Design Considerations 3-7WAN Aggregation 3-8Design Considerations 3-8Core Layer 3-9Design Considerations 3-10Aggregation Block 3-10Design Considerations 3-11Aggregation Layer 3-11Design Considerations 3-11Services Layer 3-11Design Considerations 3-12Access Layer 3-12Design Considerations 3-13Host/Server Farm Layer 3-13Design Considerations 3-13Storage Layer 3-15Design Considerations 3-15E-commerce/Internet Edge/Service Provider Edge/Partner EdgeDesign Considerations 3-16CHAPTER4Component Assessment4-1Component Section Overview 4-1PCI Assessment Summary 4-1Capability Assessment 4-2Design Considerations 4-4Endpoints and Applications 4-4Voice 4-4Cisco Unified Communications Manager and IP PhonesPhysical Security 4-6Cisco Video Surveillance 4-6Cisco Physical Access Control 4-8E-mail 4-11Cisco IronPort Email Security Solution 4-11Hosts 4-13Cisco PCI Solution for Retail 2.0 Design Guideiv4-43-16
ContentsCisco Unified Computing System 4-13Cisco UCS Express on Services Ready EngineScope Administration 4-18Authentication 4-18Cisco Secure Access Control Server 4-18RSA Authentication Manager 4-20Cisco TrustSec 4-22Management 4-26Cisco Security Manager 4-26EMC Ionix Network Configuration ManagerRSA Archer 4-30Encryption 4-32RSA Data Protection Manager 4-32Storage 4-35EMC SAN Disk Array 4-35Monitoring 4-37RSA enVision 4-37HyTrust Appliance 4-40Additional In Scope Devices 4-414-164-28Infrastructure 4-42Routing 4-42Router—Store 4-42Routers—Data Center 4-46Switching 4-50Switches—Store 4-50Cisco Catalyst Switches—Data Center 4-53Cisco Nexus 1000V Switch—Data Center 4-56Cisco Nexus Switches—Data Center 4-58Cisco Wireless 4-60Storage 4-63Cisco MDS Storage Switches 4-63Security 4-65Cisco ASA 5500 Series—Store 4-65Cisco ASA 5500 Series—Data Center 4-67Cisco Firewall Services Module (FWSM)—Data Center 4-70Cisco Virtual Security Gateway 4-72Intrusion Detection 4-74Cisco Catalyst 6500 Series Intrusion Detection System Services Module 24-74Cisco PCI Solution for Retail 2.0 Design Guidev
ContentsCHAPTER5Summary5-1Cisco PCI Solution for Retail 2.0 Design Guidevi
C H A P T E R1Solution OverviewThe Payment Card Industry Data Security Standard (PCI DSS) is generally perceived to be a complicatedmeans to secure sensitive information. As of 2010, according to the PCI Security Standards Council,100 percent of all breached companies were not compliant at the time of the breach, regardless ofwhether they were compliant at the time of their audit. How did a company that took such pains toachieve compliance not take equal measures to maintain it? Is the standard really so complex that it isnot capable of being sustained? Some pundits have argued that PCI is therefore an unrealistic goal andvalueless.Cisco takes a more balanced stance. PCI is not overly stringent from a security perspective. In fact, Ciscosees the PCI security standard to be the minimum security any company should have when takingpayments. PCI is a global attempt at setting a minimum bar. Some very large companies and some entirecountries have not developed a security awareness that meets the evolved threats of cybersecurity today.From that perspective, PCI is the lowest common denominator that provides the minimum level ofprotection. Putting in a firewall, changing default passwords, locking the door to the wiring closet, andmaking sure that you have knowledge of who is configuring a device rather than leaving open a generaladmin account; these items are not complex.Although the standard is indeed intricate, the real complexity challenge comes from managing anenterprise network. Enterprise companies do not arise overnight. Most companies that existed in the1980s did not consider data security to be an ingredient that must be included at all levels. After IPbecame the de facto network protocol, enterprise companies have been struggling to integrate data withvoice systems, video, wireless, digital media, administrative duties, and business processes; as well asholistically integrate protection of payment card information throughout. Each of these technologies wasdeveloped independently of each other. With the advent of IP, they have merged, in sometimes inefficientand complex fashion.Therefore, the real struggle is to develop a simple, sustainable, and operationally efficient enterprisearchitecture. This foundation needs to have security integrated not only within its technicalinfrastructure but within its processes and policies as well. This manual is written to provide resourcesto address these issues and to help simplify compliance.Cisco PCI Solution for Retail 2.0 Design GuideOL-13453-011-1
Chapter Executive SummaryExecutive SummaryExecutive SummaryThe Cisco PCI Solution for Retail 2.0 was developed to help retailers simplify and maintain PCIcompliance. The solution consists of strategic guidance as well as tactical implementation. Cisco is inthe unique position to apply its enterprise-wide architecture experience to the requirements of PCI. TheArchitectural Design section discusses what retailers should consider when designing their posture foraddressing PCI. It examines enterprise architecture and discusses the related controls within them. Next,this document separates those architectures into their components. The solution is designed to conformto PCI DSS 2.0.The solution was built and tested using a holistic enterprise perspective including the following: Application consideration—Point-of-sale (POS) systems and payment devices, including wirelesspayment devices Administrative concerns within scope of PCI Cisco, RSA, EMC, VCE, and HyTrust network infrastructure Assessment by a qualified security assessor (Verizon Business)The result is a set of retail store, data center, and Internet edge architectures and designs that simplifythe process of a retailer becoming PCI compliant, maintaining that posture and providing the capabilityof awareness when under attack. (See Figure 1-1.)Figure 1-1Enterprise ArchitectureCustomers andTeleworkersSInternetStoresData nServers 517Point ofSalesWideAreaNetworkSCisco PCI Solution for Retail 2.0 Design Guide1-2OL-13453-01
Chapter 1Solution OverviewTarget Market/AudienceTarget Market/AudienceThis solution is targeted toward the following audiences: Technical or compliance-focused individuals seeking guidance on how to holistically design andconfigure for PCI compliance Retailers that require a qualified security assessor to provide a Report of Compliance Retailers interested in preparing for growth that will someday require a Report of Compliance.Although all retailers that take credit cards are required to be PCI compliant, this solution is designed tohelp the larger companies simplify the complexity of compliance. Smaller companies can benefit fromthe design and guidance as well, but should consult their acquiring banks for specifics if they do notcurrently require an onsite audit. Specific card programs are available at the following locations todetermine their specific categorization process; American ity Discover Financial urity/disc.html JCB pci/index.html MasterCard Worldwide—http://www.mastercard.com/sdp Visa, Inc.—http://www.visa.com/CispSolution BenefitsThis solution demonstrates how to design end-to-end enterprise systems that conform to PCI DSS 2.0guidelines. Companies can simplify the process of becoming PCI compliant by building a similarnetwork with the recommended configurations and best practices. In addition, this solution provides thefollowing benefits: Insight into the Cisco Connected Retail enterprise architecture and the controls used to address PCI A detailed analysis and mapping of Cisco and Partner components and their relationship with PCIDSS sub-requirements A scalable set of architectural designs that can be used as a reference during the PCI complianceprocess Insight into compensating controls and best practices to harden retail network and data systems A centralized management tool kit, which provides operational efficiency compared to managing thedistributed endpoints individually Insight into the PCI audit process by providing a lab model and associated reference architecturereport from Verizon BusinessCisco PCI Solution for Retail 2.0 Design GuideOL-13453-011-3
Chapter PCI Solution ResultsPCI Solution ResultsPCI Solution ResultsTable 1-1 provides a summary of the PCI assessment results.Table 1-1PCI Assessment Results SummaryPrimary PCIFunctionComponentEndpoints and ApplicationsComponentPrimary PCIFunctionInfrastructureCisco Unified CM and IP Phones9.1.2Cisco store routers1.3, 11.4Cisco Video Surveillance9.1.1Cisco data center routers1.2, 1.3Cisco Physical Access Control9.1Cisco store switches9.1.2, 11.1b, 11.1dSegmentationCisco IronPort Email Security SolutionsDLPCisco data center switches1.2, 1.3, 11.4Cisco UCSServersCisco Nexus 1000V Series SwitchSegmentationCisco UCS Express on Cisco SREServersCisco Nexus data center switchesSegmentationCisco Wireless4.1, 11.1Scope AdministrationCisco ACS7.1Cisco MDS Switch3.4RSA Authentication Manager8.3Cisco ASA-store1.3, 11.4HyTrust Appliance10.5Cisco ASA-data center1.3, 11.4Cisco Security Manager1.2Cisco FWSM-data center1.3EMC Ionix NCM1.2.2Cisco Nexus VSGVirtual firewallRSA Data Protection Manager3.5Cisco IDSM-data center11.4EMC CLARiioNStorageCisco TrustSec7.1, 11.1b, 11.1dRSA enVision10.5Cisco PCI Solution for Retail 2.0 Design Guide1-4OL-13453-01
C H A P T E R2PCI and the Solution FrameworkThe PCI Data Security Standard (PCI DSS) provides guidance for securing payment card data. Itincludes a framework of specifications, tools, measurements, and support resources to help organizationsensure the safe handling of cardholder information. PCI DSS provides an actionable framework fordeveloping a robust payment card data security process, including prevention, detection, and appropriatereaction to security incidents. The current version is PCI DSS 2.0.Table 2-1 lists the PCI DSS goals and requirements.Table 2-1PCI Data Security Standard (PCI DSS)GoalsBuild and maintain a securenetworkPCI DSS Requirements1.Install and maintain a firewall configuration to protectcardholder data2.Do not use vendor-supplied defaults for system passwords andother security parameters3.Protect stored cardholder data4.Encrypt transmission of cardholder data across open, publicnetworksMaintain a vulnerabilitymanagement program5.Use and regularly update anti-virus software or programs6.Develop and maintain secure systems and applicationsImplement strong access controlmeasures7.Restrict access to cardholder data by business need-to-know8.Assign a unique ID to each person with computer access9.Restrict physical access to cardholder dataProtect cardholder dataRegularly monitor and testnetworks10. Track and monitor all access to network resources andcardholder data11. Regularly test security systems and processesMaintain an information security 12. Maintain a policy that addresses information security for allpolicypersonnelThe PCI DSS standard uses these 12 tenets to define how companies should secure their systems, bothtechnical and social.Cisco PCI Solution for Retail 2.0 Design Guide2-1
Chapter 2PCI and the Solution FrameworkPCI DSS 2.0—New Reporting GuidelinesPCI DSS 2.0—New Reporting GuidelinesWith PCI DSS 2.0, more thorough evidence is required from the merchant. This fact will not likely becalled out anywhere within the PCI DSS 2.0 “Summary of Changes” document.Historically, the PCI Security Standards Council (SSC) has provided qualified security assessors (QSAs)with a PCI “Scoring Matrix” document, which has provided the validation and reporting requirementsfor each PCI DSS requirement. For example, one requirement may require the QSA to review asupporting document and process to confirm a requirement is in place, where another may require thata document (for example, a policy or procedure document) as well as configuration and/or systemsettings be examined.The Scoring Matrix has been replaced by a “Reporting Instructions” document. The necessary validationsteps have been expanded. There is a greater level of detail required for assessor documentation (forexample, observation of documentation, observation of process, action, or state, observation ofconfiguration file/system settings, observation by interview, and so on).These new instructions will likely lead to a more thoroughly conducted assessment.Maintaining PCI ComplianceAs stated in the overview, becoming compliant is not the real challenge associated with PCI. Althoughmany companies view becoming compliant as a goal or an endpoint, it is better to view PCI as acontinuous cycle rather than a snapshot in time (see Figure 2-1). This may seem intuitive, but manyorganizations relax after passing an audit. Rather than preparing for the ongoing activity of maintainingcompliance, the posture that allowed the organization to pass degrades over time. Compliance isassumed to be continuous.Figure 2-1Continuous Compliance CycleAssessRemediate290856ReportCisco PCI Solution for Retail 2.0 Design Guide2-2
Chapter 2PCI and the Solution FrameworkCardholder Data Environment and ScopeA good model to adopt is one that looks at the full spectrum of time for maintaining and simplifyingcompliance: Future: Become compliant—What is the current state of the organization compared to the compliantstate? What changes are needed to reach a state of compliance? Is there a new standard on thehorizon or are there pending changes to the organization that might affect the state of compliance?Are there new store openings or mergers? What preparations are needed, both from a technical andprocess perspective, to account for maintaining compliance? Present: Know that you are still compliant—What tools are being used to recognize that theorganization is in a state of compliance? Are there application dashboards that are succinctlydeveloped to provide a current state of compliance? Is there a department or set of departments that“own” this state? Are there accurate diagrams and documentation for the full scope of the companythat is within the scope of compliance? Past: What happened to the compliance?—Did someone in the organization turn rogue? Didsomeone from the outside break in? Did someone “fatfinger” a command? Who did? How can youaccount for what systems are in scope and gain forensic knowledge to account for who is doingwhat?This solution is designed to provide the tools and design practices to help answer these questions.Cardholder Data Environment and ScopeOne of the most important concepts within PCI is the scope or the size of the merchant’s cardholder dataenvironment (CDE). This is important for several reasons: the CDE comprises the specific applications,systems, and associated personnel that have access to sensitive data. This is the range of infrastructureand people that must successfully pass an audit to become PCI compliant. More importantly, this is alsothe area that must be properly maintained to be safe from the threat of a hacker. The term sensitive datarefers to the items listed in Table 2-2, provided by the PCI DSS standard.Table 2-2Guidelines for Cardholder Data ElementsStoragePermittedRender Stored AccountData Unreadable perRequirement 3.4Primary account number(PAN)YesYesCardholder nameYesNoService codeYesNoExpiration dateYesNoFull magnetic stripe dataNoCannot store perRequirement 3.2CAV2/CVC2/CVV2/CIDNoCannot store perRequirement 3.2PIN/PIN blockNoCannot store perRequirement 3.2Data ElementAccount DataCardholder DataSensitiveAuthenticationDataWherever the data that corresponds to the fields in Table 2-2 are present in your organization, theappropriate measures must be taken to secure them.Cisco PCI Solution for Retail 2.0 Design Guide2-3
Chapter 2PCI and the Solution FrameworkPCI Best PracticesPCI Best Practices“Limit scope, protect it, maintain it ”When it comes to simplifying PCI, this is probably the best advice:“Limit the size of the scope of your cardholder data environment, protect the area within theperimeter of that environment, and then strive to maintain it as efficiently as possible.”This guide demonstrates on many levels how pervasive this philosophy should be taken. Limiting thescope really means challenging your company. Challenge your management. Challenge the business.Challenge your department to weigh the risk versus the benefit of its current way of doing business. Thisdoes not necessarily mean that you must change. However, looking skeptically at the actual needs of thebusiness combined with the sobering reality that there are organized criminals striving to steal from yourcompany, you can systematically identify and document the true scope of your PCI environment andrefine it to its core requirements. Minimizing the overall PCI scope and reducing unnecessary systemsor unjustified access to systems reduces the ongoing requirements of PCI and simplifies the overallcompliance cost and maintenance.Several factors must be considered to maximize the efficacy of this philosophy. You must accuratelydetermine the existing scope of what you have to secure before you can look at how to refine it. Thefollowing sections of this chapter discuss considerations of what might be in scope for your organization,and consequently your deployment using the Cisco solution framework for compliance.The second part of the advice
Cisco PCI Solution for Retail 2.0 Design Guide CHAPTER 3 Solution Architecture 3-1 . Figure 1-1 Enterprise Architecture Mobile Services 223517 Web Application Servers Managment Servers Retail Application Servers and Storage Point of Sales Wide Area Network Internet Customers and Teleworkers Stores Data Center Internet Edge S S S S. 1-3 Cisco PCI Solution for Retail 2.0 Design Guide OL-13453 .
Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser
PCI Flexmörtel bzw. PCI Flexmörtel-Schnell, PCI Nanolight oder PCI Flexmörtel S1 Flott nach den Re - geln der Technik mit einer 4-mm- oder 6-mm- Zahnung aufkämmen. 3 Innerhalb der klebeoffenen Zeit (bei PCI Flexmörtel und PCI Nanolight ca. 30 Minuten, bei PCI Flexmörtel-Schnell ca. 20 Minuten) die PCI Pecilastic-W-
Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se
Cisco Nexus 1000V Cisco Nexus 1010 Cisco Nexus 4000 Cisco MDS 9100 Series Cisco Nexus 5000 Cisco Nexus 2000 Cisco Nexus 6000 Cisco MDS 9250i Multiservice Switch Cisco MDS 9700 Series Cisco Nexus 7000/7700 Cisco Nexus 3500 and 3000 CISCO NX-OS: From Hypervisor to Core CISCO DCNM: Single
Cisco Nexus 7706 Cisco ASR1001 . Cisco ISR 4431 Cisco Firepower 1010 Cisco Firepower 1140 Cisco Firepower 2110 Cisco Firepower 2130 Cisco FMC 1600 Cisco MDS 91485 Cisco Catalyst 3750X Cisco Catalyst 3850 Cisco Catalyst 4507 Cisco 5500 Wireless Controllers Cisco Aironet Access Points .
Sep 11, 2017 · Note: Refer to the Getting Started with Cisco Commerce User Guide for detailed information on how to use common utilities for a record in Cisco Commerce. See Cisco Commerce Estimates and Configurations User Guide for more information.File Size: 664KBPage Count: 5Explore furtherSolved: Cisco Serial Number Lookups - Cisco Communitycommunity.cisco.comHow to view and/or update your CCO profilewww.cisco.comSolved: How do I associate a contract to my Cisco.com .community.cisco.comHow do I find my Cisco Contract Number? - Ciscowww.cisco.comPower calculator tool - Cisco Communitycommunity.cisco.comRecommended to you b
Apr 05, 2017 · Cisco 4G LTE and Cisco 4G LTE-Advanced Network Interface Module Installation Guide Table 1 Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Description Mode Operating Region Band NIM-4G-LTE-LA Cisco 4G LTE NIM module (LTE 2.5) for LATAM/APAC carriers. This SKU is File Size: 2MBPage Count: 18Explore furtherCisco 4G LTE Software Configuration Guide - GfK Etilizecontent.etilize.comSolved: 4G LTE Configuration - Cisco Communitycommunity.cisco.comCisco 4G LTE Software Configuration Guide - Ciscowww.cisco.comCisco 4G LTE-Advanced Configurationwww.cisco.com4G LTE Configuration - Cisco Communitycommunity.cisco.comRecommended to you b
ASTM E 989-06 (2012), Classification for Determination of Impact Insulation Class (IIC) ASTM E 2235-04 (2012) Standard Test Method for Determination of Decay Rates for Use in Sound Insulation Test Methods: Test Procedure. All testing was conducted in the VT test chambers at Intertek-ATI located in York, Pennsylvania. The microphones were calibrated before conducting the tests. The airborne .
