Meeting PCI DSS v3.2.1 Merchant Requirements With WatchGuard UTM and Total Security, Multi-Factor Authentication, and Wireless Solutions

17 Mar 2020

PCI CERTIFICATION

PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:

Installation of firewalls
Encryption of data transmissions
Use of antivirus software
Use of intrusion prevention systems
Detection of rogue access points
Deployment of multi-factor authentication

In addition, businesses must restrict access to cardholder data and monitor access to network resources.

PCI-compliant security gives customers confidence that your business can safely handle transactions. Conversely, the cost of noncompliance, both in monetary and reputational terms, should be enough to convince any business owner to take data security seriously. The investment in WatchGuard Total Security Suite goes a long way toward ensuring that other aspects of your commerce are safe from malicious actors.

PCI DSS MERCHANT LEVELS

PCI compliance is divided into four levels, based on the annual number of credit or debit transactions a business processes.

The classification level determines what an enterprise needs to do to remain compliant.

Level 1 – Applies to merchants processing more than six million credit or debit card transactions annually. They must undergo an internal audit once a year conducted by an authorized PCI auditor. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV).
Level 2 – Applies to merchants processing between one and six million credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
Level 3 – Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
Level 4 – Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.

PCI DSS REQUIREMENTS

The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.

CATEGORY	REQUIREMENT
SECURE NETWORK	1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
SECURE CARDHOLDER DATA	3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
VULNERABILITY MANAGEMENT	5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications
ACCESS CONTROL	7. Restrict access to cardholder data by business need-to-know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
NETWORK MONITORING AND TESTING	10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
INFORMATION SECURITY	12. A policy dealing with information security must be maintained

PCI DSS 3.2.1 UPDATE

The Massachusetts-based organization announced on April 28, 2016 an upcoming change to the current PCI DSS (v.3.1) standard for safeguarding payment data, PCI DSS v3.2. This update included clarifications to existing requirements, new or evolving requirements, and additional guidance. PCI DSS v3.2.1, released in May 2018, provided further clarifications to existing requirements.

REQ #	DESCRIPTION
8.3.1	Incorporate multi-factor authentication for all non-console access into the cardholder data environment (CDE) for personnel with administrative access
10.8	Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to a failure of: Firewall IDS/IPS FIM Antivirus Physical access controls Logical access controls Audit logging mechanisms Segmentation controls (if used)
10.8.1	Additional requirements for service providers only: Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include: Restoring security functions Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause Identifying and addressing any security issues that arose during the failure Performing a risk assessment to determine whether further actions are required as a result of security failure Implementing controls to prevent cause of failure from reoccurring Resuming monitoring of security controls
11.3.4.1	Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods
12.11	Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes: Daily log reviews Firewall rule-set reviews Applying configuration standards to new systems Responding to security alerts Change management processes

PCI DSS AND WATCHGUARD TOTAL SECURITY SUITE

WatchGuard’s comprehensive Total Security Suite, which includes 13 integrated security modules, managed under a single policy framework, provides visibility and control over network and endpoint data loss as well as comprehensive data discovery across enterprise storage systems. Our solution offers a comprehensive, approach towards network segmentation, protection, and detection that establishes WatchGuard as an ideal, award-winning choice for organizations where PCI compliance is a must.

IMPLEMENTATION GUIDANCE

Products required:

WatchGuard Firebox UTM
WatchGuard Threat Detection and Response
WatchGuard AuthPoint
Total Security Suite Subscription
WatchGuard Cloud

RECOMMENDED DEPLOYMENT:

PCI DSS Requirement		UTM Firewall + Basic Security Suite	UTM Firewall + Total Security Suite + AuthPoint	Cloud Wi-Fi
Requirement 1	Install and maintain a firewall configuration to protect cardholder data	✓	✓
Requirement 2	Do not use vendor-supplied defaults for system passwords and other security parameters	✓	✓
Requirement 3	Protect stored cardholder data
Requirement 4	Encrypt transmission of cardholder data across open, public networks	✓	✓	✓
Requirement 5	Protect all systems against malware and regularly update antivirus software or programs		✓
Requirement 6	Develop and maintain secure systems and applications	✓	✓	✓
Requirement 7	Restrict access to cardholder data by business need to know		✓
Requirement 8	Identify and authenticate access to system components		✓
Requirement 9	Restrict physical access to cardholder data
Requirement 10	Track and monitor all access to network resources and cardholder data	✓	✓	✓
Requirement 11	Regularly test security systems and processes	✓	✓	✓
Requirement 12	Maintain a security policy that addresses information security for all personnel			✓

ZONED NETWORKS

As required by PCI DSS, WatchGuard UTM’s application proxy technology provides detailed control over the traffic that passes between network zones. Customizable and easy-to-configure firewall policy creation enables administrators to block all traffic by default and to define which traffic is allowed to pass between zones, including protocols, ports, content types (e.g., MIME types, 37+ file types, and URLs) and verbs (e.g., HTTP GET).

WatchGuard Total Security Suite allows businesses to leverage all components of WatchGuard’s UTM appliance – including APT Blocker, Data

Loss Prevention, Gateway AntiVirus, IntelligentAV, Reputation Enabled Defense, Intrusion Protection Service, WebBlocker, Network Discovery, Application Control, spamBlocker, Access Portal, DNSWatch, and Threat Detection & Response – providing a comprehensive network defensive scheme in pursuit of PCI DSS compliance.

MONITOR CARDHOLDER DATA ACCESS

Practical monitoring of all the network components is best implemented with WatchGuard visibility solutions, including WatchGuard Cloud and WatchGuard Dimension. WatchGuard Cloud Visibility comes standard with WatchGuard’s flagship UTM platform. It provides a suite of big data visibility and reporting tools that instantly isolate and distill key security issues and trends from the firewall log data, thereby accelerating the ability to set meaningful security policies across the network. Both Watchguard Cloud Visibility and Dimension include a dashboard and a set of reports specifically for PCI compliance.

Compatibility with the chosen identity management solution and complete logging of all authentication events.
Comprehensive audit trail that tracks all changes to the firewall.
IDS, IPS, DLP, and antivirus solutions – the actions of which must also be logged.
Wireless networks require special attention as they are fundamentally unsecure. Every precaution must be taken to secure against wireless hacks.

Ask your WatchGuard partner to see a sample, generated by WatchGuard Cloud Visibility, for a more complete look at the kind of information WatchGuard can correlate for your business to achieve and maintain PCI compliance. For on-premises requirements, WatchGuard Dimension is also available.

THREAT DETECTION AND RESPONSE

WatchGuard Threat Detection and Response is a collection of advanced malware defense tools that correlate threat indicators from Firebox appliances and Host Sensors to stop known, unknown and evasive malware threats. At its core is ThreatSync, a Cloud-based correlation engine that analyzes event data from Host Sensors and Firebox appliances to identify malicious behavior. Threats are scored based on severity for automated remediation. TDR is licensed as part of WatchGuard’s Total Security Suite and addresses key anti-malware requirements as part of PCI DSS.

DNS-BASED PROTECTION

WatchGuard’s DNSWatch is a DNS-based service that brings threat intelligence to outbound network traffic. DNSWatch is included with Total Security

Suite, which includes all the features of a UTM appliance developed for protection against modern threat landscapes. Combining analysis from 37+ threat intelligence vendors with its own detection capabilities, DNSWatch applies anti-malware defense to network traffic by providing antiphishing protection before a malicious URL has a chance to resolve to the intended destination. Additionally, DNSWatch provides redirection to training modules that can assist with automated and behavioral-based anti-phishing training, building awareness and threat prevention within your organization’s first line of defense: employees!

MULTI-FACTOR AUTHENTICATION

WatchGuard’s AuthPoint service is a crucial tool for PCI compliance, offering multi-factor authentication (MFA) to assist implementation of authentication, authorization and accounting. AuthPoint offers token-based authentication through traditional RADIUS-based means, Security Assertion Markup Language (SAML) 2.0, one-time passcode (OTP), and off-network-based protection. With a mobile application – supported on both iOS and Android platforms – and centralized Cloud management, AuthPoint brings targeted security for both the on-premises and remote user workforce.

WIRELESS PROTECTION

WatchGuard access points (APs) help merchants to prepare for PCI compliance by offering monitoring capabilities on its 802.11ac platform.

Leveraging the wireless AP’s ability to monitor 2,000 active wireless devices per AP sensor, compliance and security officers wield powerful wireless intrusion prevention system (WIPS) technology to lock trusted devices to authorized networks and keep sensitive cardholder data processing systems secure and prevent any wireless ‘honeypot’ attacks.

SUMMARY

No single vendor or solution can provide complete compliance with the Payment Card Industry Data Security Standard. The WatchGuard family of UTM products is ideally suited to providing merchants the means to build a thorough set of policies, processes and practices – including network segmentation – supported by an essential set of technological countermeasures to enforce them. In this regard, the WatchGuard UTM security platform is an invaluable solution that delivers:

strong least-privilege access and authentication control for segmenting cardholder data environment
support for a considerable cross-section of the PCI DSS requirements
capabilities that far exceed PCI DSS’s baseline standards to more thoroughly protect cardholder data

If you have additional questions on WatchGuard, please, write us at watchguard@bakotech.com.

List of news >