Higher-ed organizations constantly have to battle with user experience and security/compliance requirements. UNC Charlotte has developed a secure and easy way to implement PCI virtual terminals without hindering the end-user experience, and still meet all of the requirements for PCI.
2. Introduction
Boyd “Aaron” Sigmon
• Sr. Information Security Engineer
• 11 years experience working in IT, with 6 years
working directly with PCI Compliance
• Education & Certifications
• BSIT Information & Computer Technology – East
Carolina University
• GIAC Certified Incident Handler (GCIH)
• QualysGuard Certified Specialist
• Palo Alto Accredited Configuration Engineer (ACE) –
PAN OS 6.0
• CompTIA Security+
3. Overview
• Define what a PCI virtual terminal is
• What the requirements are around virtual terminals
to be compliant
• UNC Charlotte’s approach
• Benefits to using this approach
• Answer questions
4. What is a PCI Virtual Terminal?
• Any computer that is used to take credit card
payments on behalf of a customer
• Any computer that the organization
directs its customers to use to make credit card
payments
5. What are the Requirements?
• Systems must follow an industry hardening
standard (CIS, NIST, etc.)
• Systems must have file integrity monitoring, audit
logging, and anti-virus
• Systems must be patched and have continuous
vulnerability assessment
• Inbound and Outbound network traffic must be
restricted to only trusted sites
• Network traffic must be logged and monitored
6. UNC Charlotte’s Approach
Project Scope
• 19 Office machines
• 31 Dedicated/Self-service kiosk machines
• 1 Full-time staff (myself)
• 2 Student workers
• 30 days
The Challenge
• How do we secure the Office machines without
hindering our end-users?
7. UNC Charlotte’s Approach
The Solution:
• Deployed hardened virtual machines
to each office machine and have those users
perform credit card transactions in the VM.
• Created network isolation by using a VPN
connection that connects them to our PCI network
• Directly applied the same security controls to the
dedicated/self-service machines
8. UNC Charlotte’s Approach
Virtual Machine Details:
– Windows 7 Professional image used inside of VirtualBox
– 2GB RAM
– 2 Processor Cores
– Uses a NAT’ed network connection so inbound connections
are not possible from the campus network
– Security controls are built into the image for ease of deployment
9. UNC Charlotte’s Approach
Security Controls:
– System hardening
• Used the CIS hardening standard
• Automated through Group Policy with templates from CIS
• Group policies were applied when the VM is deployed and joined to the domain
• Users don’t have permissions to make changes
– File Integrity Monitoring & Audit Logging
• LogRhythm
– Anti-virus
• Trend OfficeScan
– Patching & Vulnerability Assessment
• SCCM
• All software in the VM is a Microsoft product and patching is automated
– Network Isolation & Monitoring
• The virtual machine automatically connects to a VPN that makes
them part of the PCI network
10. UNC Charlotte’s Approach
VPN Details:
• Palo Alto GlobalProtect
• 2 x PA3020 Firewalls in High-Availability
• Pre-logon authentication that connects when the machine boots and
forces the VPN to always stay connected all the time
• Two-factor authentication that uses a client-side certificate and username/
password
• Disabling the VPN client requires a password that only the security team
knows
• Each department has an assigned VPN username/password
• Only the security team knows these credentials and we enter them
during the deployment.
• Outbound access is controlled by firewall rules that use the VPN
username as the source, instead of IP addresses
• Example: Source: callcenter Destination: touchnet.com Port: 443
12. Benefits to this Approach
Easy to Deploy
• We build a Gold Image with all of the security controls
applied
• Copy the image to each office machine prior to
the scheduled appointment
• Send a student worker with a list of instructions
to finish the configuration and train the users on how to
use it
• Any changes not on the image are applied through
group policy
• The VPN and firewall are also easy to configure and
very well documented by Palo Alto
13. Benefits to this Approach
Using the VM causes less inconvenience
to our end-users
• Users only have restricted access in their VM
• Users can still browse the web, check email, etc. from
their physical office machine
• Users can then easily switch back and forth
between the virtual machine and physical machine when
needed
14. Benefits to this Approach
Using the VPN connection reduces PCI scope
• Connecting to the VPN changes your routing tables and
makes you a part of a completely different network than
the physical network connection of the host machine
• All traffic is wrapped in a secure tunnel and is no longer
passing through the same network devices as the host
machine
15. Benefits to this Approach
Using the VPN reduces management overhead
• All access is controlled by a single device
• All network traffic is monitored from a single device
16. Benefits to this Approach
Using the VPN gives you Flexibility
• Temporary virtual terminals on demand
• iPads, Laptops, and Tablets
• Can be used ANYWHERE on campus, including
Wi-Fi
17. Benefits to this Approach
Fully meets PCI requirements and has been
blessed by our QSA, CoalFire