Q&A: How Fortinet is Helping Retailers Meet PCI DSS Requirements

With so many high profile security breaches of large retailers in the news recently, a hot topic everywhere is around PCI DSS, the Payment Card Industry Data Security Standards. We recently spoke with Nirav Shah, Fortinet’s Director of Product Marketing – Enterprise Security, for his take on PCI DSS requirements, and how the FortiGate family of security products can help retailers secure their stores and meet these standards.

A Q&A with Nirav Shah

What is PCI DSS, and what do organizations need to do to comply with these requirements?

PCI DSS is a set of security standards created by the payment card industry to ensure that any company that processes and transmits credit card information can keep that information secure. The PCI standard is mandated by the major credit card brands, and is administered by the Payment Card Industry Security Standards Council. In addition to a comprehensive annual assessment to ensure that organizations are meeting these security standards, the PCI DSS also mandates that organizations perform quarterly vulnerability scans and report their results to auditors.

What are some of the basic requirements of PCI DSS?

The PCI Data Security Standard has twelve requirements designed to protect cardholder data. For retailers with hundreds or thousands of stores, the amount of cardholder and security data they are processing, analyzing, and transmitting is enormous. So ideally, all the security systems and devices that they have distributed to retail outlets and offices to meet PCI DSS requirements work together seamlessly. Which is why so many large retailers are turning to Fortinet’s Security Fabric, which is able to integrate all of their security solutions into a single, collaborative security architecture. Here are four examples of how an integrated approach improves PCI DSS compliance:

1. One of the most basic requirements of PCI DSS is to install and maintain a firewall at every branch or retail outlet. But for large retailers, who are increasingly the targets of cyberattacks, it’s not enough to simply have a firewall. They first need to evaluate if that firewall is powerful enough to provide the protection they need. And with more and more retail stores and offices using WiFi, their next consideration is the security of that WiFi access point. If they don’t have secure, collaborative communication between their WiFi and firewall, they have a problem. To address this common security weakness, the FortiGate Enterprise Firewalls, including the newly launched FortiGate/FortiWifi 60E series, have been engineered to integrate your firewall and WiFi tools seamlessly together to provide unmatched speed, performance, and protection.

2. Another PCI DSS requirement is to encrypt the transmission of cardholder data across open, public networks. When transferring sensitive data to and from remote stores and branches, you have to make sure that you’re using the highest encryption standards to keep that data secure. The FortiGate 60E series introduces Fortinet’s third-generation FortiASIC SoC3 System-on-a-Chip architecture. Not only does this new architecture speed up what is already the world’s most powerful enterprise firewalls, but it also includes top-of-the-line encryption capabilities, so organizations don’t need yet another security appliance in order to optimally protect their data.

3. PCI standards also require that you use and regularly update anti-virus software on all systems commonly affected by malware. With so many users bringing their own devices and smartphones onto your network, organizations need to install something like FortiClient onto these devices to extend your network’s protection out to any connected endpoints. You can deploy FortiClient on any of these devices to provide the latest real time anti-virus protection, as well as deliver remote security monitoring, logging, and reporting.

4. Of all the PCI DSS standards, it is that monitoring, logging and reporting requirement that can be the most difficult. If you have hundreds or thousands of branches, you need to make sure that all the security logs generated at those branches daily are being sent to the right place, and that they can be used to generate the right reports - reports that are easy to read and provide useful, relevant information. This is where FortiAnalyzer, part of the Fortinet Security Fabric’s management layer, comes into the picture. FortiAnalyzer integrates and correlates logging, analytics, and reporting into one system, allowing you to quickly identify and react to network security threats. FortiAnalyzer pulls all your various security logs together, analyzes them, and gives you a report that can instantly tell you the top applications being used on your network, your top users of bandwidth, and your top threats, so you can evaluate and respond to that immediately.

If you don’t have something like FortiAnalyzer, then you are trying to manually correlate all these logs and navigate through them in order find useful information. This is a very difficult, time-consuming, and labor-intensive effort, and prone to missing many of the more sophisticated attacks being used today. This can also make reporting on PCI DSS compliance quarterly and annually a daunting task. FortiAnalyzer solves this problem.

We also added something new to FortiAnalyzer, called “Indicators of Compromise.” The FortiAnalyzer can scan your network and detect suspicious devices at any of the branches and alert you automatically. This is the kind of capability that retailers need to have these days to stay ahead of the increasingly sophisticated attacks being launched by cybercriminals.

Recent amendments to PCI DSS requirements have taken network security beyond simple firewalls, recommending that organizations build firewall and router configurations to restrict connections between “untrusted networks” and any system components in the cardholder data environment. Why is this so important?

Our networks are becoming increasingly complex, with wireless connectivity, BYOD, the IoT and the move to the cloud changing the dynamics of transactions, communications, and data processing. This complexity presents ever-growing opportunities for compromise. In addition, hackers are getting better and better at bypassing an organization’s perimeter security to reach their unprotected internal networks. Because of this, even the best edge firewalls don’t stop everything, and they often can’t help after a breach occurs. And worse, once an attack reaches your internal network, there has traditionally been nothing in place to detect and stop it. That is why some of these data breaches aren’t discovered until long after they occur. It’s also why it is so important to segment your internal network. The Fortinet Internal Segmentation Firewall (ISFW) is designed to sit between two or more points on the internal network to expand visibility, control, and the mitigation of malicious traffic between disparate network segments, protecting and isolating different areas of your network from malicious code as it tunnels its way through the internal network. While you should certainly always put up the strongest walls you can against cyberattacks, you also need to assume that eventually, those walls will be breached. An Internal Segmentation Firewall allows you to contain any malicious code that has made it past your external defenses, thereby containing a breach and limiting its damage.