ADTRAN Products and PCI Compliancy

Version 1

    Preface:

    The purpose of this article is not to outline the PCI requirements, but rather address how ADTRAN products comply with the PCI-DSS (Data Security Standard). If you discovered this article while searching for information regarding the PCI Standard, assessment sheets, audit procedures, etc.; please take a moment to review the reference links below:

     

    ADTRAN White Paper:

    https://www.adtran.com/pub/Library/White_Papers/Default/Demystifying%20the%20PCI%20DSS.pdf

     

    PCI-DSS:

    https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

     

    PCI Security Audit Procedures Version 1.1:

    https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

     

    IT Audit Checklist: Payment Card Industry (PCI)

    http://www.itcinstitute.com/display.aspx?id=2499

     

    Listing of Approved PCI Auditors:

    https://www.pcisecuritystandards.org/pdfs/asv_report.html

     

    Nessus® Vulnerability Scanner:

    http://www.nessus.org/

     

    Overview:

    The PCI (Payment Card Industry) Security Council developed the DSS (Data Security Standard) in reaction to widespread merchant data breaches incurred over the last several years. While these breaches had little residual effect on the merchants (businesses), the card issuers incurred huge monetary losses, while the unsuspecting consumers faced identity theft and poor credit ratings.

     

    In a statement released January 18, 2007, the Security Council states, “The security of payment data is not just a payment brand issue, but is the responsibility of all businesses (merchants) that participate in the payment process. All merchants and service providers that store, process and transmit payment card data are required by the payment brands (issuers) to comply with the PCI DSS---their customers (the consumers) expect it and their reputations depend on it.”

     

    ADTRAN Products and PCI Compliancy:

    It is important to note that the PCI council does not offer any type of “certification stamp” or approval process for networking equipment. In addition, there are no formal lab tests required, and no official logos or websites listing certified products. In fact, the PCI DSS standard makes no stipulation about which products to use; only recommendations as to the security, configuration, and management requirements of the equipment and software involved in the transmission and/or storage of payment card data.

     

    While not a requirement of equipment manufacturers, ADTRAN is an acting member of the PCI Security Vendor Alliance (www.pcialliance.org). This is simply a group of vendors that have collectively aligned to ensure compliancy in their respective areas and to help merchants design a secure comprehensive network solution. That being said, ADTRAN’s NetVanta (and other AOS-based) internetworking products meet all the technical requirements outlined by the security standard, (relative to network components). However, the burden of compliancy does not rest solely on ADTRAN or any equipment manufacturer, it’s the responsibility of the merchant/business to properly implement and configure these products to meet compliancy.  For each merchant, the requirements differ based on the complexity and design of their network, (e.g. WAN Architecture, Remote Management, WiFi access, VPN, etc). Furthermore, the requirements for merchants that “store and transmit” payment card data is more stringent than that of merchants that simply “transmit” payment card transactions. But regardless of the size and complexity of a merchant’s network, any network application or component involved with

    the transmission, security or storage of payment card data is susceptible to audit (e.g. firewalls, routers, security appliances, servers, applications, etc.) This includes not only the Layer 3-7 devices and applications, but the Layer 1/2 components as well, (e.g. CSU/DSU’s, multiplexers, hubs, Ethernet switches, etc.) Fortunately, most vulnerabilities discovered in L1/L2 devices are related to device management, such as telnet access, passwords, etc., which can be easily corrected between audits.

     

    One of many complexities associated with PCI compliancy is that merchants & banks are basically “aiming at a moving target.” While the PCI Standards document & audit procedures have not changed since 2006, the requirements enforced by vulnerability scanners and PCI auditors can change as new technologies and industry enhancements are introduced. For example, the PCI Standard clearly defines SSL (Secure Sockets Layer) as an acceptable technology for remotely managing devices on the network. While this standard mentions nothing

    about the various SSL versions, an auditor or scanner may flag anything other than SSL v3 as a vulnerability. This is just one of many reasons why businesses/merchants seldom, (if ever) pass the PCI assessment on their first attempt.

     

    Conclusion:

    Regardless of which products or manufacturer you choose, it is important that you proactively monitor product updates, such as firmware enhancements and patches to ensure ongoing product compliancy. Before you buy, make sure you fully understand the manufacturer’s warranty and maintenance requirements to receive these services. This service is included as part of the 5-year warranty on all ADTRAN Internetworking products; therefore, firmware updates and enhancements are provided “free of charge” as part of the initial equipment purchase.