PCI compliance is a requirement for all customers who process, transmit, or store credit card information. Through its security event monitoring, threat mitigation, and reporting features, the Cisco® Security Monitoring, Analysis, and Response System (Cisco Security MARS) can help customers satisfy PCI compliance requirements and reporting needs. This white paper discusses how Cisco Security MARS Release 6.0 helps customers meet their PCI compliance requirements.
Overview of Cisco Security MARS Support for PCI Data Security Standard
The PCI Data Security Standard (DSS) stipulates six major requirement categories and 12 key requirement areas. The requirement areas are divided into more than 200 sub-requirements. Cisco Security MARS supports both Cisco and non-Cisco devices and provides numerous "canned" reports, and can be used to provide necessary information required to fulfill many of these PCI-compliance-specific sub-requirements. Table 1 outlines the PCI requirements that Cisco Security MARS can address.
Table 1. Cisco Security MARS PCI Compliance Support Capability Summary
PCI Requirement Category
Requirements Description
PCI Requirements Addressed by Cisco Security MARS
Build and Maintain a Secure Network
PCI Requirement 1: Install and maintain a firewall configuration to protect data.
PCI Requirement 10: Track and monitor all access to network resources and cardholder data.
All except PCI DSS 10.2.1, 10.2.6, 10.4, 10.5.5
PCI Requirement 11: Regularly test security systems and processes.
PCI DSS 11.1, 11.2, 11.4, 11.5
Maintain an Information Security Policy
PCI Requirement 12: Maintain a policy that addresses information security.
PCI DSS 12.5.2, 12.5.3, 12.9.5
Cisco Security MARS Support Clarification for PCI DSS Requirements
PCI Requirement 1: Install and maintain a firewall configuration to protect data
This compliance requirement requires reporting of firewall changes and all user activities on the firewall. This is accomplished by tracking, logging, and recording all users' firewall logon activities. The primary interest from an auditor's perspective is who makes the change (Figure 3), what the change made to the firewall is (Figure 2, 4), and what protocol is used when making the changes to the firewall (Figure 4). Demonstrating network connectivity transparency using a network topology map (Figure 1) is also necessary to satisfy this PCI requirement.
Figure 1. Topology Displaying Network Connection of Network Devices
Figure 1 shows a Cisco Security MARS topology diagram that depicts network devices (application server, database, firewall, IPS devices, etc.) an d connectivity, giving security staff visibility into the network.
Figure 2. Firewall or Device Changes Audit Trail
Figure 2 shows that Event ID 311056 reports "who" executed a firewall (e.g., an adaptive security appliance) command and "what" ACL command the user executed. This is the level of detail that PCI requires for tracking and reporting of user activities. Figure 3 shows the protocol (SSH) used by a user logging onto or disconnecting from a network device (ASA-6-315011); this satisfies the protocol-tracking PCI requirement.
Figure 3. Protocol Used for Firewall Changes
Figure 4 shows a report of user activities on a firewall ("LabH-Pod5-ASA"). The audit trail includes source (10.100.1.20) and destination (10.100.2.30) IP addresses and the protocol (SSH) used by the user. It also contains the command that the user executes. These types of user activities recorded in the firewall or device audit log must be reported or demonstrated to the PCI auditor.
Figure 4. User Firewall Access Activity Log
PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
To satisfy PCI Requirement 2, reports must demonstrate monitoring of default password changes. Cisco Security MARS supports PCI Requirement 2.1 through vulnerability assessment (VA) scanning reports from companies such as McAfee Foundstone or Qualys Guard. A sample Cisco Security MARS VA report is shown in Figure 5.
Figure 5. Vulnerability Assessment (VA) Reporting for Default Password Use
PCI requires changing the default password of any network device. In Figure 5, the vulnerability scanning for the Cisco Security MARS user default password remains unchanged; this is a violation of PCI policy.
PCI Requirement 4: Encrypt transmission of cardholder and sensitive information across public networks
Cisco Security MARS supports PCI Requirement 4.1. To satisfy this requirement, customers must demonstrate that cardholder data was transmitted either in encrypted format or via an encrypted network. Cisco Security MARS supports IPSec VPN devices (for example, Cisco ASA appliances or VPN 3000 concentrators, which both provide IPSec VPN) and can generate report of IPSec VPN monitoring events.
PCI Requirement 5: Use and regularly update antivirus software
Under PCI Requirement 5, enterprise customers must establish a security procedure for ongoing antivirus software updates. Cisco Security MARS supports this requirement through antivirus vendor software device logs and reporting on antivirus events (McAfee, Symantec, etc.). Additionally, Cisco Security MARS supports the Cisco NAC Appliance; security posture reports from the NAC appliance log will help satisfy Requirement 5 (Figure 6).
PCI Requirement 6: Develop and maintain secure systems and applications
PCI Requirement 6 requires that enterprise customers establish standards and procedures to ensure security device and application patches are kept up to date. Cisco Security MARS can provide VA results reporting from McAfee Foundstone, Qualys Guard, or eEye to keep enterprise customers informed of vulnerabilities where updated patches are not yet applied (Figure 6).
Figure 6. Figure 6 Security Posture and Access Control Reports Listing
PCI Requirement 7: Restrict access to data by business need-to-know
This requirement places emphasis on access to cardholder data granted on a business need-to-know basis. Cisco Security MARS provides Cisco ACS access log reporting to help customers satisfy this requirement. In Figure 6, Cisco Security MARS provides a listing of AAA reports to meet this PCI requirement.
PCI Requirement 8: Assign a unique ID to each person with computer access
PCI Requirement 8 necessitates that an enterprise customer establish, monitor, and report on a user access policy. Cisco Security MARS provides several user access monitoring reports to satisfy the PCI requirements. Figures 7, 8, and 9 provide listings of the reports required.
Figure 7 shows an example of a user logon failure report. Figure 8 shows how to set the amount of time before a session logs out, and set the number of logon attempts. Figure 9 lists reports of user activities in terms of database access success or failure, account logout, AAA access, user privilege changes, host access success or failure, and remote-access monitoring. PCI requires that all of these user activities be monitored and tracked.
Figure 7. User Access Monitoring Report
Figure 8. User Access Setting
Figure 9. Network and Database Access Monitoring Reports
PCI Requirement 10: Track and monitor all access to network resources and cardholder data
Under PCI Requirement 10, customers must report on ongoing monitoring of network and cardholder database access policy compliance, and on unauthorized modification of a network device's security policy or cardholder database changes. Additionally, the PCI requirement requires reporting of any wireless endpoint device added to the enterprise network. Cisco Security MARS provides several different types of access monitoring reports (Figure 9), as well as active wireless access point monitoring (Figure 10) with 14 red severity event types. For each active access point that is added to a Cisco Wireless LAN Controller, an event will be reported through Cisco Security MARS wireless monitoring reports. This will satisfy PCI Requirement 10.
Figure 10. Wireless Access Monitoring Reporting
PCI Requirement 11: Regularly monitor and test networks
This PCI category requires enterprise customers to (1) use an intrusion detection or prevention system (IDS or IPS) to monitor all network traffic and alert personnel to suspected compromises, as well as keeping all intrusion detection and prevention engines up to date; (2) monitor ongoing wireless endpoint access to the network; and (3) conduct VA scanning of network devices. Cisco Security MARS provides IPS signature update reporting as well as IPS threat and risk rating monitoring (Figure 13) to help customers satisfy this requirement. Additionally, Cisco Security MARS can help satisfy compliance monitoring of wireless access monitoring (Figure 10) and provides customer with off-the-shelf VA scanning reporting (Figure 5).
PCI Requirement 12: Maintain an information security policy
Under PCI Requirement 12, customers must implement incident response management control and assign incident cases to appropriate personnel for resolution. Cisco Security MARS supports this requirement (Figure 11). Each incident is recorded by incident ID, type of event, or incident associated action required to act upon. Cisco Security MARS also supports the IPS monitoring reporting requirement (Figure 13).
Figure 11. Security Incident Management
Figure 12. Specific Incidents Monitoring
Figure 13. IPS Signature Updates and Threat Monitoring Report
Summary
Cisco Security MARS directly supports 10 out of 12 key PCI requirement areas. Currently, Cisco Security MARS does not support PCI Requirements 3 and 9. Cisco encourages customers to evaluate their monitoring and reporting needs against Requirements 3 and 9, and work closely with Cisco security partners to evaluate appropriate reporting solution to satisfy these two requirements.
