WIXLIB

How the UnityEdgeConnect SD-WANEdge PlatformSupports PCI DSSCompliancePCI DSS: Protecting Cardholder and Authentication DataHighly sensitive personal identity and financial datahave become enticing and highly lucrative targets forcyber criminals. According to the latest Nilson Report,worldwide payment card fraud losses reached 24.3 B in 2018 and are expected to exceed 34 B by 20221.Vulnerabilities to credit card fraud exist anywherein the transaction process including point-of-saledevices, personal computers, servers that storecredit card or transaction data, Wi-Fi hotspots, websites and web shopping applications and more.Protecting cardholder information is not only achallenge for any enterprise transacting credit cardpayments but a government mandate.The Payment Card Industry (PCI) council wasfounded in 2006 to establish security standardsfor protecting credit cardholder data. The councilpublishes the PCI Data Security Standard (PCI DSS)which defines requirements for protecting customercredit card information and other financial data.PCI DSS “applies to all entities involved in paymentcard processing—including merchants, processors,acquirers, issuers, and service providers.[and] to allother entities that store, process or transmit cardholder data (CHD) and/or sensitive authenticationdata (SAD).”2 Violations may result in fines of 5,000– 100,000 a month, or even revocation of a business’ability to accept credit cards for transactions.Clarifying the meaning of PCI Compliance:.PCI requirements apply to merchants and companies that accept credit card payments and to entities that store, process, or transmit cardholder data. Networkand security products cannot be “PCI-compliant” themselves, but if designed withfeatures that protect security and privacy, they can help organizations achieve andmaintain PCI compliance.Silver Peak Solution Brief1

Figure 1: Credit card processing data flow: Personal financial information and card data must beprotected end-to-end, even while data is in flight across the WAN.Some organizations incorrectly assume that PCIcompliance applies only to cardholder data storedon servers in databases. However, this information,which includes the cardholder name, credit cardnumber, expiration date and CVV code, must beprotected end-to-end throughout the transaction,even while data is in flight across the WAN. TheSilver Peak Unity EdgeConnect Software DefinedWAN (SD-WAN) edge platform helps enterprisesproactively address vulnerabilities to data transmitted across the WAN. Robust security and applicationmicro-segmentation features help organizationsmeet PCI compliance requirements.PCI Requirements Overview forMerchants and EnterprisesSilver Peak helps organizations achieve and maintainPCI-DSS compliance, by creating virtual overlays tosegment applications across the WAN and by usingzones for end-to-end segmentation from LAN, toWAN, to LAN.Network Segmentation – Strongly RecommendedPAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD, V3.2.1, PAGE 11:“Network segmentation of, or isolating (segmenting), the cardholder data environment from theremainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommendedas a method that may reduce:··The scope of the PCI DSS assessment··The cost of the PCI DSS assessment··The cost and difficulty of implementing and maintaining PCI DSS controls··The risk to an organization (reduced by consolidating cardholder data into fewer, more controlledlocations)Without adequate network segmentation the entire network is in scope of the PCI DSS assessment.“SILVER PEAK:Segment networks and applications into zones; control of access to zones containingcardholder data2Silver Peak Solution Brief

PCI DSS REQUIREMENTSHOW SILVER PEAK SUPPORTS COMPLIANCEBuild and Maintain a Secure Network and Systems1.Install and maintain a firewallconfiguration to protect cardholder dataProtection of device and control planes; secure configuration and change management2.Do not use vendor-supplieddefaults for system passwordsand other security parametersPassword policies including default password warningProtect Cardholder Data3.Protect stored cardholder dataBoost WAN optimization network memory function may store packet contents on a flash driveor disk in which case it is encrypted using AES-1284.Encrypt transmission ofcardholder data across open,public networksData and management interface encrypted using AES-256Maintain a Vulnerability Management Program5.Protect all systems againstmalware and regularly updateanti-virus software or programsDirect selected network traffic to anti-malware and sandboxing products from Silver Peaksecurity partners using automation, orchestration, and drag-and-drop service chaining6.Develop and maintain securesystems and applicationsVulnerability assessments with each new release Issue patch updates as requiredImplement Strong Access Control Measures7.Restrict access to cardholderdata by business need to knowNot applicable8.Identify and authenticate access to system componentsMultiple unique logins for different user roles with appropriate privilege levels; Optionally support authentication with RADIUS or TACACS ; Enforce the use of multi-factor authentication forall non-console administrative access and remote access to the cardholder data environment9.Restrict physical access tocardholder dataProvisions for backup and disaster recovery; Silver Peak configuration and snapshots may bestored offsiteRegularly Monitor and Test Networks10.Track and monitor all accessto network resources andcardholder dataFull audit logs of user logins and all change management actions11.Regularly test security systemsand processesNot applicableMaintain an Information Security Policy12.Maintain a policy that addressNot applicableesinformationsecurityfor all of appliances by location, tunnels, bandwidth, flow, jitter, latency, loss, application type,Figure2: Real-timemonitoringpersonnelMOS, alarmsSilver Peak Solution Brief3

Building a Secure SD-WANEdgeConnect can help organizations comply withnine of the twelve requirements specified by PCI DSS.Robust security controls and features in EdgeConnectand the Unity Orchestrator management softwareenable enterprise IT administrators to secure creditcard transaction data across the WAN. PCI DSS version 3.2.1 is used as the reference.Requirement 1: Install and maintain afirewall configuration to protect cardholder dataThis requirement applies to routers and othernetwork infrastructure equipment including SD-WANappliances. Orchestrator maintains audit logs for alllogins and configuration changes. All managementcommunications between Orchestrator andEdgeConnect appliances are encrypted using TLS.With WAN hardening, one can deny all other trafficexcept for protocols necessary for the cardholderdata environment.Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parametersIndustry best practices recommend always changingdefault login IDs and passwords. Silver Peak providesa warning to users that cannot be cleared withoutchanging the default passwords. All non-consoleadministrative access to the system can be encryptedusing HTTPS for the UI and SSH for terminal sessions.For network management, SNMPv3, which providesauthentication and encryption, is recommended,rather than using SNMPv1or v2.Requirement 3: Protect stored cardholder dataIn its default configuration, EdgeConnect does notstore any packet payload information on a flash driveor disk, so no card information will be stored. Withthe optional Unity Boost WAN optimization performance pack, it is possible to apply WAN optimizationto all or any subset of the traffic. As part of Boost,the network memory function may store packetcontents on a flash drive or disk, in which case it is4encrypted using AES encryption. If Boost is configured to operate on a protocol which carries cardholder data, any cardholder information containedin packets that is stored will be AES encrypted. Othercardholder data storage mechanisms are outside thescope of the EdgeConnect platform.Requirement 4: Encrypt transmissionof cardholder data across open, publicnetworks.All data transmitted across the SD-WAN is fullyencrypted using NIST recommended cryptographicalgorithms and security protocols. In each data path,EdgeConnect virtual WAN overlay tunnels employ256-bit AES encryption for IPsec tunnels. For message authentication, SHA2 hashing is supported. Inthe management plane, Transport Layer Security(TLS) 1.2 is used for communication betweenEdgeConnect and Orchestrator, EdgeConnect andCloud Portal, the end user’s web browser andOrchestrator or EdgeConnect. Weak protocols suchas SSLv2, SSLv3, TLS 1.0, and TLS 1.1, weak hasheslike MD5, and weak encryption algorithms such asDES and RC4 are disabled.Requirement 5: Protect all systemsagainst malware and regularly updateanti-virus software or programsEdgeConnect appliances can ensure that networktraffic containing protected data is routed throughanti-malware products and other security tools.The EdgeConnect traffic steering feature withFirst-packet iQ classification identifies applicationsbased on the first packet in a session. Through service chaining, applications that process or transmitcardholder data can be automatically directed tonext-generation firewalls, cloud-hosted securityservices, anti-malware tools, and sandboxing products from security companies like Check Point,Forcepoint, McAfee, OPAQ Networks, Palo AltoNetworks, Symantec, and Zscaler. The anti-malwaretools can be located in stores and remote branches,in remote data centers, or in the cloud.Silver Peak Solution Brief