Peter Guidi's Blog

Archive for the ‘CISO’ Category

Untangling Internal Scanning: how zone routers impact PCI scanning requirements

In CISO, Internal Scanning, PCI, Petroleum retailing, Uncategorized, Zone Routers on December 20, 2016 at 1:58 pm

Retailers who are evaluating how to maintain PCI compliance are likely to hear the word “scan” from third party compliance providers, or as a part of a letter from your acquiring bank.  The evolution of the POS EPS and move to POS IP connectivity for payment and loyalty has introduced new complexity to PCI scanning requirement. Retailers with newer POS now have an EPS as a part of their system. The EPS sits between the POS and the Front-End Processors and separates the card processing from the POS system creating both the Card Data Environment and Non-Card Data Environment. One result of this configuration is the need for a “Zone Router”. The Zone Router is typically installed behind the Store Router/Firewall/Gateway and Store LAN and in front of the POS/EPS. Retailers with Zone Routers need to consider how this technology impacts their responsibility for Internal Scanning

 PCI DSS v3.0 chapter 11.2 says that you must “Run internal and external network vulnerability scans at least quarterly and after any significant change in the network”. What “significant change” means is open to interpretation by the QSA, but could mean; new system component installations, changes in network topology, firewall rule modifications, product upgrades or almost anything touching the network.

For many Retailers, their expectation is that a single scan will satisfy PCI DSS requirements. For most merchants, however, the requirement is to conduct at least two separate scans: one from the inside (i.e., an “internal scan”) and one from the outside (i.e., an “external scan”). External vulnerability scans look for holes in the store perimeter firewall(s), where malicious outsiders can break in and attack the network. Internal vulnerability scans operate inside the store perimeter firewall to identify real and potential vulnerabilities inside the business network. Retailers with a Zone Router installed must perform three scans; external, and internal scans both within the CDE and Non-CDE.

Internal and External scans are critical components to maintaining PCI and protecting the network and hence, the business from attack by data thieves.  Like loss prevention, internal scanning is a hedge against disgruntled employees who have targeted systems from the inside, or malware, such as viruses or Trojans, that are downloaded onto a networked computer via the Internet or a USB stick. Once the malware is on the internal network, it sets out to identify other systems and services on the internal network—especially services it would not have been able to “see” from the Internet. Internal scans search the internal network for threats to assure the business valuable assets are properly secured.

The challenges of scanning within the CDE for POS systems with Zone Router is new and not all POS systems have defined how to manage this requirement. Retailers seeking managing a new set of scans, particularly for organizations managing centralized scanning engines, will find this requirement adds cost and time to compliance activities. When implementing a Zone Router, Retailers should consider how they will manage all three separate scanning requirements inside of a single actionable approach to their vulnerability scanning.