PCI compliance has become a major concern for most companies that deal with credit card transactions, and this significantly impacts Extreme Networks customers. This whitepaper is designed to show how products from Extreme Networks can assist customers achieve PCI compliance. First, a few facts about PCI:
- The Payment Card Security Standard (PCI) is not a law, and is not enforced by any government agency. It was created by the credit card industry, and applies to any entity who has a merchant ID.
- PCI defines a set of 12 high level security requirements that a merchant must meet in order to be PCI compliant.
- Achieving PCI compliance can only be done by hiring an approved scanning vendor from a set of 40 such vendors
- Scans must be done every 90 days in order to remain in compliance.
- Merchants that are not PCI compliant, or those that fall out of compliance, will face fines levied by the credit card companies against the that banks merchants deal with (and these fines are passed on to the merchant).
In order for a customer to remain PCI compliant, all 12 high level PCI requirements must be met and verified by an approved scanning vendor. The following is a listing of each PCI requirement along with a brief description of how Extreme Networks products can apply:
- Install and maintain a firewall configuration to protect cardholder data
This requirement primarily applies to dedicated firewall infrastructure, but because our wired and wireless systems implement a robust notion of network policy, our switches and access points can assist with this requirement. Further, defense-in-depth is an important concept in the security world, so having multiple layers of defense is important. That is, if an existing firewall fails to properly protect a network then it is advantageous to have a second line of defense. This can be provided by our Policy capabilities.
- Do not use vendor-supplied defaults for system passwords and other security parameters
In our products, users are required to supply admin passwords, so this generally meets the above requirement. However, there are many other security settings for which a customer will need to provide strong values. These include things such as SNMP community strings, non-admin account passwords, wireless network credentials, and more.
- Protect stored cardholder data
This requirement does not generally apply to Extreme Networks products. The reason is that we don’t have products that are used to store credit card data – such products would include card processing systems, websites with attached database storage, and the like.
- Encrypt transmission of cardholder data across open, public networks
Because Extreme Networks is not in the business of providing VPN or encryption implementations, this requirement does not apply to our products for the most part. A possible exception might be our wireless gear which is commonly used to host browser communications which may contain cardholder data. In this case, wireless encryption protocols become important from our perspective even though such browser communications are likely already hardened with SSL/TLS. Wireless encryption protocols supported by our products include WEP, TKIP, WPA, WPA2, WPA-PSK, WPA2-PSK, and AES. In general, weaker protocols like WEP, TKIP, and WPA should be avoided in favor of stronger options such as WPA2-PSK.
- Use regularly updated anti-virus software or programs
Although anti-virus software does not apply to Extreme Networks switching (AV) products, our NAC product can be used to enforce that client endpoint systems have updated anti-virus software installed. So, in this case we don’t build products on which AV needs to be installed, but we build a product that can assist a customer to achieve the requirement for other systems in their network. The specific NAC functionality that supports this scenario is the endpoint assessment feature that implements host quarantining if current AV software is not installed.
- Develop and maintain secure systems and applications
Of all the PCI requirements, this one is the most vague and onerous at the same time. When a customer tries to achieve PCI compliance, this requirement will likely force them to expend more effort than any of the others. To meet this requirement, an approved scanning vendor will use automated scanning software (and potentially manual scanning techniques as well) such as Nessus, Nexpose, or Qualys to audit all systems and applications that are resident in the customer’s network. This may well turn up vulnerability findings in Extreme Networks products which we may have to mitigate through configuration or by providing a patch. In addition, in many cases, negative findings in a set of scanning results may be invalid but have to be addressed anyway. More material on this appears in the “Scanning Vendor Negotiations” section later in this document.
- Restrict access to cardholder data by business need to know
Although this requirement is not something for which Extreme Networks products provide direct solutions for, once again our policy capabilities may apply. For example, a customer may not have internal firewalls that are designed to maintain policy between a network segment where cardholder data exists vs. other parts of their network. In this scenario, if they have an Extreme Networks switch (or Access Point) in a position to apply policy then they can likely meet the requirement. The key in this case is for the customer to understand and define “business need to know” and then map access restrictions to this.
- Assign a unique ID to each person with computer access
This is another requirement that is largely independent of where Extreme Networks products apply. However, our NAC product can provide user accountability by mapping users to devices used on the network, so this may help a customer achieve the requirement.
- Restrict physical access to cardholder data
This requirement largely deals with physical access control devices such as keycard readers, biometric door access, and the like. Therefore, although Extreme Network products don’t generally apply, once again our NAC product can help maintain an audit trail of user access by physical location. This information may help to satisfy the requirement in the eyes of an approved scanning vendor.
- Track and monitor all access to network resources and cardholder data
This is a broad requirement where multiple Extreme Networks products can apply. For example, NAC can provide an audit trail of network access by physical location, our network IDS/IPS can detect malicious activity and also certain kinds of legitimate activity that can be useful for tracking purposes, and even flow data produced by our switches can assist a customer to achieve this requirement.
- Regularly test security systems and processes
PCI itself places a recurring 90-day scanning requirement on customers, but this requirement is likely independent and in addition to this. That is, a customer should also deploy scanning software of their own in order to satisfy the requirement. Extreme Networks has encountered customers that do this, and we regularly respond to vulnerability findings that a customer may see in such results.
- Maintain a policy that addresses information security for all personnel
This requirement is largely something that a customer needs to satisfy independently of Extreme Networks, but we can provide the actual infrastructure for maintaining such a policy. This can be accomplished through use of our switching (wired/wireless) infrastructure together with NAC and leveraging policy
PCI requirement #6 mandates that customers maintain secure systems and applications. It is the verification of this requirement that necessitates a large effort on the part of an approved scanning vendor as they run a series of scans across a customer’s network. The scanning results can be massive, and require many hours to analyze and validate. Throughout the scanning process there is a lot of subjectivity that creeps into scanning results, and it is frequently even the case that the scanning results may be invalid for a given Extreme Networks product. In cases like this, it is important that Extreme Networks be given the opportunity to negotiate with the approved scanning vendor on why a vulnerability finding may be invalid. For example, many scanners simply map vulnerabilities in products to version strings that are advertised in server banners and the like. But, sometimes the vulnerable code is not even resident in the product from Extreme Networks – such as when we build our own Linux kernel with a stripped down kernel config file. In this case, many vulnerabilities that would have otherwise made it into the product are simply not there despite what version the kernel appears to be to a scanner.
Beyond the examination of scanning results from an approved scanning vendor another important aspect of the scanning cycle is that Extreme Networks conducts scans of our own products with industry scanners such as Nessus, Nexpose, and Qualys. We use these scanning results in order to gain insight into what an approved scanning vendor might see, and either proactively remediate issues with maintenance releases or patches to fix these problems, or anticipate false positives and understand why they are showing up. Further, many vulnerabilities are discovered by the security researcher community and reported to organizations like USCERT. Extreme Networks then receives information about these vulnerabilities before the public at large, and this can assist us to proactively fix security problems before they become a danger to our customer base. We tie USCERT notifications into our vulnerability response process which includes a rigorous set of response times for vulnerabilities based on severity. The severity of a vulnerability is defined by the CVSS score, which is an industry standard measure for how serious a given vulnerability is. The CVSS scoring system goes from 1-10, with 10 being the highest severity vulnerability. Our customer notification response times defined by the vulnerability response process are: 1 day for a CVSS score of 10, 3 days for a CVSS score from 7-9, one week for a CVSS score of 4-6, and low severity vulnerabilities are governed by SQA and the CR process
PCI is a critical industry standard for many Extreme Networks customers, and we are likely to see a continued uptick in the need for real solutions in this area. Although there is no certification that Extreme Networks can acquire in order to prove that our products are PCI compliant, we can assist customers in deploying our technology in a manner that is PCI compliant. The benchmark for this is measuring Extreme Networks products against each of the twelve major PCI requirements. Given that PCI compliance can only be achieved by a customer with an approved scanning vendor, it becomes important for Extreme Networks to be adept at responding to scanning results, and fortunately we are already scanning our products internally in order to have a proactive vision into the scanning process.