Practices Guide
940657-001 Rev A00
VeriFone, Inc.
2099 Gateway Place
Suite 600
San Jose, CA 95110
USA
Corporate Telephone: 1-800-VeriFone (837-4366)
Main Telephone: 408-232-7800
Corporate Web Site: www.verifone.com
PCI Guidelines for IntelliNAC and IntelliView
August, 2013
Copyright 2013 by VeriFone, Inc..
Printed in the United States of America
All Rights Reserved.
This publication is proprietary to VeriFone, Inc. and is intended solely for use by VeriFone
customers. This publication may not be reproduced or distributed for any purpose without the
written permission of VeriFone.
VeriFone reserves the right to make changes to this publication at any time without notice.
No Warranty
VeriFone has attempted to ensure the accuracy of the contents of this publication. However, this
publication may contain errors or omissions. This publication is supplied as-is, without any
warranty of any kind, either expressed or implied, including the implied warranties of
merchantability and fitness for a particular purpose.
Trademarks
IntelliNAC and IntelliView are registered trademarks of VeriFone.
The VeriFone logo is a trademark of VeriFone.
Other brand names or trademarks associated with VeriFone products and services are
trademarks of VeriFone, Inc. All other brand names and trademarks appearing in this
publication are the property of their respective holders.
Page 1
Contents
Introduction .......................................................................................................................................... 3
Document Format ................................................................................................................................. 3
PCI-DSS Requirements Supported ........................................................................................................ 4
Guidelines ............................................................................................................................................. 5
PCI DSS Requirement: Do not use vendor supplied defaults for system passwords and other
security parameters .............................................................................................................................. 5
PCI-DSS Requirement: Protect Cardholder Data .................................................................................. 6
PCI-DSS Requirement: Encrypt Transmission of cardholder and sensitive information across public
networks ............................................................................................................................................... 6
PCI-DSS Requirement: Assign a unique ID to each person with computer access ............................... 7
PCI-DSS Requirement: Restrict Physical Access to Cardholder Data .................................................... 9
PCI-DSS Requirement: Restrict Access to data by business need-to-know ....................................... 10
PCI-DSS Requirement: Track and monitor all access to network resources and cardholder data .... 10
Page 2
Introduction
This document provides guidance regarding vendor recommended best practices for implementation of
IntelliNAC and IntelliView in a PCI compliant production environment. The document provides a brief
description of operation where functions are within scope of being assessed during an audit conducted
for the purpose of measuring customer environment compliance to standards documented in PCI-DSS
Version 2.0 guidelines. Where enablement of security features is optional functionality within the
IntelliNAC and IntelliView products, VeriFone recommends implementation and use that delivers a level
of security to meet or exceed the requirements stated in the PCI-DSS guidelines wherever possible.
Content is limited to only a set of statements regarding product functions and associated
implementation that VeriFone deems to be within scope of the PCI-DSS guidelines. Sufficient
implementation detail is added to provide a clear understanding of the recommended practice to be
followed. Detail beyond that level is included in the product user guides available to customers. General
recommendations are included regarding the need for a corporate security policy to be followed and a
secure infrastructure outside the scope of these products to be in place that can be relied upon for
securing the customer environment.
Document Format
Brief product functional descriptions are listed in order of PCI-DSS requirements that are applicable.
Descriptions address each requirement with statements of how the requirement is supported and
include a recommendation of implementation.
Limitation of Liability
These recommendations are stated with the intent to reduce scope of assessment of
functionality associated to data transport as that functionality relates to certain PCI-DSS
requirements. In no way does compliance with these recommendations guarantee passage of
an assessment for the purpose of achieving full compliance to the PCI-DSS standards. The
customer is solely responsible for PCI-DSS compliance in its environment, including adopting
security policies to fully achieve a PCI-DSS compliant environment and protect cardholder data
from unauthorized access. VeriFone shall have no liability to customer or any third party for
damages, fines, penalties or other monetary losses with respect to a customers compliance or
lack thereof with PCI-DSS requirements, whether based on the best practices recommended in
this document or otherwise. In no event shall VeriFone be liable for any indirect, special,
incidental, or consequential damages, including without limitation damages for loss of business,
profits, or the like, even if VeriFone or its representatives have been advised of the possibility of
such damages.
Page 3
IN
SCOPE
Compliant
Page 4
Guidelines
PCI DSS Requirement: Do not use vendor supplied defaults for system passwords and
other security parameters
What is Supported:
IntelliView forces the modification of the default administrative password used for installation upon
first use and thereafter is subject to expiration based upon a default operation that expires the
password every 90 days. Formatting of the replacement password should follow the best practices
outlined in the PCI-DSS standards and restated here for reference.
What is Needed:
When defining passwords or pass phrases the recommended best practice should be followed for
compliance to PCI DSS standards. Specifically the password/pass phrases should meet the following
requirements:
During Installation a password protected Keystore file is created for holding SSL certificates
(Reference IntelliView User Guide Installation section for detail)
The admin user account requires a unique password to be entered to be used for access at the
admin user level (Reference IntelliView user Guide on changing user admin password for detail)
Managing IntelliNACs in IntelliView requires a SSH login password to be entered that is derived
during the InrtelliNAC installation process An optional encryption pass phrase may be entered
and is recommended for raising the level of security (Reference IntelliView User Guide
Managing an IntelliNAC for detail)
Individual user accounts in addition to the admin user account require unique passwords for
each user account to be entered at the time of creation (Reference the IntelliView User Guide
User Accounts Section for detail)The following IntelliNAC functions require unique passwords or
pass phrase for operation:
At initial installation an SSH Login user ID and password is required for local access. Additionally
a certificate based SSH login maybe implemented to eliminate the need for password
management.
Page 5
Local security policy for password control requires an implementation supporting the following
functions to meet PCI-DSS standards:
Page 6
Page 7
Page 8
Page 9
PCI-DSS Requirement: Track and monitor all access to network resources and cardholder
data
What is Supported
All access to the IntelliNAC and IntelliView products is tracked and logged within audit trails established
for this purpose. The activity tracked includes all actions associated to login/logout and activity while in
session with the products including configuration, command and control functions. The logs are time
Page 10
stamped for presentation in real time or can be exported in the event of a need to review them during
security audits.
What is Needed:
It is recommended that the logs be exported and archived for the purpose of presentation in the event a
PCI-DSS assessment is in process.
Example Screen showing Audit Log:
Page 11