• No results found

VERIFONE ENHANCED ZONE ROUTER

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "VERIFONE ENHANCED ZONE ROUTER"

Copied!
9
0
0

Loading.... (view fulltext now)

Download now ( 9 Page )

Full text

(1)

WHITE PAPER

Security, remote management, and network connectivity offering more solutions for your c-store.

VERIFONE

ENHANCED

(2)

SUMMARY

The Verifone Enhanced Router is designed for customers to implement a fully PCI DSS compliant solution and replaces the network security appliance previously supplied with Sapphire and Commander Petro products. Like the previous Verifone solution, the Enhanced Zone Router completely supports a single POS installation and is easily expandable to support additional devices. Time synchronization is

maintained via NTP through the remote management connection for consistent event log timestamps. The

Enhanced Zone Router is a managed service appliance that provides the following features:

• Port forwarding • Intrusion Detection • AES encryption

• X.509 certificates DER, PEM formats • Dynamic IP address end-points • Multiple subnet capability

• PCI DSS compliant Remote Helpdesk support utilizing 2-factor authentication

The Enhanced Zone Router is a key security component for the overall POS architecture.

BENEFITS

The Enhanced Zone Router meets PCI 3.x requirements for remote multi-factor authentication (MFA) and provides

segmentation of the POS LAN from the customer LAN to help reduce the scope of PCI DSS assessments. In situations where the site has no broadband access, the Enhanced Zone Router features a basic configuration User Interface only

(3)

While maintaining the segmentation functions, the User Interface can also be used to configure IP addressing for installations that do not use DHCP configuration. This UI does not support console-level administrative functions like data inspection, port replication, etc.

Remote management of the Enhanced Zone Router allows scalable solutions to meet specific customer requirements. The previous solution required changes through a software configuration utility. Because the Enhanced Zone Router is remotely managed, only the minimum allowable connectivity into and out of the POS LAN is enabled. As a remotely managed device the Enhanced Zone Router is kept updated with required security patches. The Verifone Enhanced Zone Router solution provides RFC5424 compliant logs which can be directed to a customer provided endpoint [SIEM].

Enhanced Zone Router configuration changes are logged and monitored. Using the site’s broadband services, the

Enhanced Zone Router establishes a secure connection for device management to Verifone’s selected device

management provider. It is pre-configured and supports DHCP to eliminate setting up port forwarding, and static IP addresses.

With the Enhanced Zone Router in place, Verifone helpdesk traffic is controlled entirely by access to the Enhanced Zone Router datacenter endpoint. RSA Multi-factor authentication is configured per help desk agent to the managed network ensuring only authorized helpdesk personnel can access a site. No Verifone personnel have privileged access to the Enhanced Zone Router. Supplemental controls such as complex workstation passwords and session time outs enhance the security solution.

THE SOLUTION

Verifone has chosen industry leading network providers to deliver the new Enhanced Zone Router. The solution includes remote security and device patch management. With multi-megabit throughput, the platform provides an extensible architecture designed to accommodate needs of today and for the future.

(4)

TODAY’S DELIVERABLE

In today’s complex security environment, the Enhanced Zone Router provides an end to end, scalable managed and secure PCI compliant solution.

PCI DSS v3.1 is challenging all Merchants with higher security standards. Verifone’s Support Services fall within a merchant’s PCI DSS requirements for third party service providers who interact with the cardholder data environment. As such Verifone seeks to enable the merchant’s ability to meet these standards through the implementation of our Secure Remote Help Desk Services. Through a hardened methodology of securing connectivity with 2 factor

authentication, access control of authorized agents, diligence in monitoring and alerting and working closely with a PCI qualified security Assessor (QSA) to provide documented evidence against applicable security requirements, Verifone provides its customers with a level of confidence not found in the industry.

(5)

VERIFONE PETRO SECURE

REMOTE ACCESS SUPPORT

(6)

FACILITATING PCI COMPLIANT

HELP DESK CONNECTION

RSA Auth Req uest RSA Admin Server w/ Tokens Petro Help Desk Agents with soft token

Windows Terminal Server

Bastion Host

Secure Network Cloud

VFI Corp Domain VFI PCI Domain

Secure connection management appliances Lan 2-Fa ctor Logi n IPSEC/VPN Tunnel Verifone Logrhythm SIEM IPSEC/VPN Tunnel

Managed through a custodial chain of command

methodology, access to the secure network is either granted or revoked via use of an RSA MFA system. Each authorized Verifone Help Desk agent will be assigned a unique

username and 2 factor soft token to authenticate with a Verifone Windows Terminal Server. Upon successful authentication, an IPsec VPN tunnel is established into the secure cloud. Terminal Server sessions help to insulate the customer network from Verifone’s network. As an additional measure of security, each Help Desk Agent must be granted local store network access to the Verifone Commander via a software toggle located on the POS inside the store.

(7)

Once access is granted a Help Desk Agent will only be allowed to access Verifone POS devices for support and troubleshooting. No Verifone access is granted to the EZR or any other networking appliance on the store LAN; thus eliminating the ability to alter network configuration.

RSA Auth Req uest RSA Admin Server w/ Tokens Petro Help Desk Agents with soft token

Windows Terminal Server

Bastion Host VFI Corp Domain VFI PCI Domain

Lan 2-Fa ctor Login IPSEC/VPN Tunnel Verifone Logrhythm SIEM

In addition to access control security, Verifone has

implemented access control logging, monitoring and alerting. Sessions are monitored from the start of the initial Terminal Server connection through disconnection from the secure network. PCI DSS compliant log data is processed and stored in Verifone’s LogRhythm SIEM server.

This data is analyzed in real-time and provides the security team the ability to alert and quickly act on any suspicious activity. All of the access and management servers are housed in a PCI compliant data center to further harden the security of the system.

(8)

FAQ

1. How do we perform our annual vulnerability and penetration tests as required by PCI?

The Verifone Enhanced Zone Router is a network access device. With change management processes defined and implemented, execution of vulnerability and/or

penetration tests can be accomplished.

2. How do I, as the merchant, monitor, log and audit the Verifone Zone Router for

PCI DSS compliance? – Utilizing industry-compliant RFC

5424 logging, the required information can be directed to a customer-provided endpoint [SIEM.]

3. Does the Enhanced Zone Router use a generic account for access and support?

All access to generic accounts has been disabled. Only Verifone’s authorized Petro client support organization has access to the secured network via the Verifone Zone Router. This scope is limited to only users assigned to support the client merchant environment and requires RSA 2-factor authentication to access the merchant network.

4. How are user accounts managed?

User access governance is managed by RSA identity management system. This system is housed within Verifone’s data center and managed in accordance to PCI-DSS requirements.

5. Does anyone with POS software programming capabilities have access to the Verifone Zone Router?

No. For Tier 3 support purposes any developer needing access will be overseen by an authorized Petro client support organization representative to resolve customer issues.

(9)

6. Does a VASC/Technician have the ability to change, open/close ports on the Verifone Zone Router?

A limited configuration functionality may be made

available for a VASC. At install the initial registration and configuration are stored in the secure cloud. Any deltas post-install are tracked hourly and trigger alerts to security support for appropriate incident response procedures.

© 2015 Verifone, Inc. All rights reserved. Verifone and the Verifone logo are either trademarks or registered trademarks of Verifone in the United States and/or other countries. All other trademarks or brand names are the properties of their respective holders. All features and specifications are subject to change without notice. Reproduction or posting of this document without prior Verifone approval is prohibited.

References

Download now ( PDF - 9 Page - 616.02 KB )

Related documents

Commentary on Ezra. Bible Study Notes and Comments. by David E. Pratte

The decree said that Cyrus authorized the building of the temple, just as the Jews claimed, and as recorded already in Ezra 1:1-8; 5:13,14.. It said the house of the Lord,

For Date: 02/11/ Tuesday

One of the youths activated the fire alarm by spraying body spray into a detector.. Vehicle did

Moral Atmosphere and Masculine Norms in American College Football

In addition to directly impacting on-field moral functioning, conforming to traditional masculine norms also served as a mediator between: (a) the influence of coaches and

VERIFONE PAYWARE SOLUTIONS

By writing the application only once, partners can offer a fully integrated payment processing solution with multiple choices of VeriFone payment engines and hardware devices.

di b orso ase per LabVIEW bview Lab

VI Block Diagram g Block Diagram SubVI Toolbar Divide Function Graph Terminal SubVI Wire Data Terminal Data While Loop.. Structure Numeric Constant Timing Function Boolean Control

INSTRUCTIONS TO PERSONAL INJURY CLIENTS

In any event, the insurance company only has to provide a rental until the repairs are complete or they offer you the fair market value of your vehicle if it is a total

User Set Up Booklet VeriFone Sapphire. Topaz POS. Terminals. For use with VeriFone. VeriFone Sapphire and.

If the task is success the user should see the VeriFone Sapphire’s Journal Browser and using the proper user name and password log into the Sapphire.... Microsoft Internet

Worker flows and establishment wage differentials : a breakdown of the relationship

Bassanini and Marianna (2009) actually point out that churning flows are similar across countries, whereas worker flows display much more variation. Table 2