IntelliView and IntelliNAC PCI-DSS Best

Practices Guide
940657-001 Rev A00

VeriFone, Inc.
2099 Gateway Place
Suite 600
San Jose, CA 95110
USA
Corporate Telephone: 1-800-VeriFone (837-4366)
Main Telephone: 408-232-7800
Corporate Web Site: www.verifone.com
PCI Guidelines for IntelliNAC and IntelliView

August, 2013
Copyright 2013 by VeriFone, Inc..
Printed in the United States of America
All Rights Reserved.

This publication is proprietary to VeriFone, Inc. and is intended solely for use by VeriFone
customers. This publication may not be reproduced or distributed for any purpose without the
written permission of VeriFone.
VeriFone reserves the right to make changes to this publication at any time without notice.
No Warranty
VeriFone has attempted to ensure the accuracy of the contents of this publication. However, this
publication may contain errors or omissions. This publication is supplied as-is, without any
warranty of any kind, either expressed or implied, including the implied warranties of
merchantability and fitness for a particular purpose.
Trademarks
IntelliNAC and IntelliView are registered trademarks of VeriFone.
The VeriFone logo is a trademark of VeriFone.
Other brand names or trademarks associated with VeriFone products and services are
trademarks of VeriFone, Inc. All other brand names and trademarks appearing in this
publication are the property of their respective holders.

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 1

Contents
Introduction .......................................................................................................................................... 3
Document Format ................................................................................................................................. 3
PCI-DSS Requirements Supported ........................................................................................................ 4
Guidelines ............................................................................................................................................. 5
PCI DSS Requirement: Do not use vendor supplied defaults for system passwords and other
security parameters .............................................................................................................................. 5
PCI-DSS Requirement: Protect Cardholder Data .................................................................................. 6
PCI-DSS Requirement: Encrypt Transmission of cardholder and sensitive information across public
networks ............................................................................................................................................... 6
PCI-DSS Requirement: Assign a unique ID to each person with computer access ............................... 7
PCI-DSS Requirement: Restrict Physical Access to Cardholder Data .................................................... 9
PCI-DSS Requirement: Restrict Access to data by business need-to-know ....................................... 10
PCI-DSS Requirement: Track and monitor all access to network resources and cardholder data .... 10

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 2

Introduction
This document provides guidance regarding vendor recommended best practices for implementation of
IntelliNAC and IntelliView in a PCI compliant production environment. The document provides a brief
description of operation where functions are within scope of being assessed during an audit conducted
for the purpose of measuring customer environment compliance to standards documented in PCI-DSS
Version 2.0 guidelines. Where enablement of security features is optional functionality within the
IntelliNAC and IntelliView products, VeriFone recommends implementation and use that delivers a level
of security to meet or exceed the requirements stated in the PCI-DSS guidelines wherever possible.
Content is limited to only a set of statements regarding product functions and associated
implementation that VeriFone deems to be within scope of the PCI-DSS guidelines. Sufficient
implementation detail is added to provide a clear understanding of the recommended practice to be
followed. Detail beyond that level is included in the product user guides available to customers. General
recommendations are included regarding the need for a corporate security policy to be followed and a
secure infrastructure outside the scope of these products to be in place that can be relied upon for
securing the customer environment.

Document Format
Brief product functional descriptions are listed in order of PCI-DSS requirements that are applicable.
Descriptions address each requirement with statements of how the requirement is supported and
include a recommendation of implementation.

Limitation of Liability
These recommendations are stated with the intent to reduce scope of assessment of
functionality associated to data transport as that functionality relates to certain PCI-DSS
requirements. In no way does compliance with these recommendations guarantee passage of
an assessment for the purpose of achieving full compliance to the PCI-DSS standards. The
customer is solely responsible for PCI-DSS compliance in its environment, including adopting
security policies to fully achieve a PCI-DSS compliant environment and protect cardholder data
from unauthorized access. VeriFone shall have no liability to customer or any third party for
damages, fines, penalties or other monetary losses with respect to a customers compliance or
lack thereof with PCI-DSS requirements, whether based on the best practices recommended in
this document or otherwise. In no event shall VeriFone be liable for any indirect, special,
incidental, or consequential damages, including without limitation damages for loss of business,
profits, or the like, even if VeriFone or its representatives have been advised of the possibility of
such damages.

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 3

PCI-DSS Requirements Supported

A matrix is provided below which references PCI-DSS requirements that the VeriFone IntelliNAC and
IntelliView products are in scope to provide compliant operation. A section following the matrix
provides guidance on product functionality to insure best practices are followed when implementing the
functions to adhere to a PCI compliant operation.
PCI-DSS REQUIREMENTS
Do not use vendor supplied defaults for system passwords and other
security parameters

IN
SCOPE

Compliant

Protect Cardholder Data

Encrypt Transmission of cardholder and sensitive information across
public networks
Assign a unique ID to each person with computer access
Restrict Physical Access to Cardholder Data
Restrict Access to data by business need-to-know
Track and monitor all access to network resources and cardholder
data

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 4

Guidelines
PCI DSS Requirement: Do not use vendor supplied defaults for system passwords and
other security parameters
What is Supported:
IntelliView forces the modification of the default administrative password used for installation upon
first use and thereafter is subject to expiration based upon a default operation that expires the
password every 90 days. Formatting of the replacement password should follow the best practices
outlined in the PCI-DSS standards and restated here for reference.
What is Needed:
When defining passwords or pass phrases the recommended best practice should be followed for
compliance to PCI DSS standards. Specifically the password/pass phrases should meet the following
requirements:

Minimum password length is 8 characters

Password must contain both lower and upper case characters and numbers and special
characters
Example: $79aO93K!

The following InteliView functions require unique passwords for operation:

During Installation a password protected Keystore file is created for holding SSL certificates
(Reference IntelliView User Guide Installation section for detail)
The admin user account requires a unique password to be entered to be used for access at the
admin user level (Reference IntelliView user Guide on changing user admin password for detail)
Managing IntelliNACs in IntelliView requires a SSH login password to be entered that is derived
during the InrtelliNAC installation process An optional encryption pass phrase may be entered
and is recommended for raising the level of security (Reference IntelliView User Guide
Managing an IntelliNAC for detail)
Individual user accounts in addition to the admin user account require unique passwords for
each user account to be entered at the time of creation (Reference the IntelliView User Guide
User Accounts Section for detail)The following IntelliNAC functions require unique passwords or
pass phrase for operation:
At initial installation an SSH Login user ID and password is required for local access. Additionally
a certificate based SSH login maybe implemented to eliminate the need for password
management.

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 5

Local security policy for password control requires an implementation supporting the following
functions to meet PCI-DSS standards:

The last 4 passwords must be unique

User account is locked after 3 invalid password entries
Admin account is locked for 30 minutes after 3 invalid password entries
User is logged off after a configurable inactivity period. The recommendation based upon PCIDSS requirements is to set this value to 15 minutes (Reference the IntelliView User Guide User
Accounts Section for Detail.

PCI-DSS Requirement: Protect Cardholder Data

What is Supported:
No cardholder data is stored during operation of IntelliView or IntelliNAC or in persistent trace storage.
When encryption is enabled on all incoming and outgoing links into the IntelliNAC, there is no
mechanism to view the clear text cardholder data and it is always either obscured from display or
encrypted
What is Needed:
Insure all trace activity is limited by access rights to the trusted staff with a need for performing this
function. All resultant trace data should be held in the repository of the target hardware under trace
and purged with the frequency required for meeting the security policy imposed for meeting PCI-DSS
PCI-DSS Requirement: Encrypt Transmission of cardholder and sensitive information across
public networks
What is Supported:
Enablement of secure transmission is recommended between endpoints from the point of origination at
the POS device and across all public and private transport facilities to include the connections serving
the payment processor. Secure transmission is provided in the IntelliView and IntelliNAC products via a
combined means of enablement of encryption and authentication compliant to cryptographic standards
established in the PCI-DSS guidelines (Reference IntelliView and IntelliView System Guide for detail)
What is Needed:
Insure line encryption is used on inbound and outbound links used for transport of cardholder data
wherever that support is provided. (Reference IntelliView User Guide for detail)

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 6

List of Links that are used for cardholder data include

IP Uplinks (SSL)
IP Downlinks (SSL)
NAC to NAC WAN links (IPSec and SSH)
Dial Downlinks (EFTSec)
PCI-DSS Requirement: Assign a unique ID to each person with computer access
What is Supported:
The security policy of the customer dictates the administration of user account controls is implemented
to be consistent with that policy. InteliiView provides the means to restrict access to specific rights and
permissions to become compliant to PCI-DSS guidelines. Where there is an active directory service for
administering secure access the customer may implement connection to that service to utilize LDAP
functionality to control access.
What is Needed:
Implement the established user account security policy for insuring unique IDs are constantly in effect
and aged out based upon the PCI-DSS guidelines by selecting the appropriate aging factor for user
accounts. Insure each user ID has limited rights and access in accord with those guidelines by selection
of the functions to be associated to the each unique user ID. If there is a need to extend security to an
established enterprise level across all user accounts in association with an active directory server,
configure the user access to be administered using the LDAP configuration capability. (Reference
Intelliview User Guide Installation and Setup Section configuration for detail)

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 7

Example Screen Display for Configuration of LDAP support:

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 8

PCI-DSS Requirement: Restrict Physical Access to Cardholder Data

What is Supported:
The ability to gain unauthorized access to IntelliView and IntelliNAC products transporting cardholder
data has been prevented to insure a strict adherence to this requirement based upon the customer
engaging the full model of two factor authentication wherever that is provided.
What is Needed:
While this requirement is met in part by the limitation of methods of access to the products of
IntelliView and IntelliNAC other than via processes that provide two factor authentication it is the
responsibility of the customer to provide barriers to physical access to the products. These products are
assumed to be installed into a secure data center environment protected by both logical and physical
access boundary protections available when co-located with general purpose routers and firewalls.
Physical access should be secured based upon entry card access to the secure rooms where the products
are installed. An example of this is provided for illustration.

Figure 1 Deployment example showing firewall access protection

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 9

PCI-DSS Requirement: Restrict Access to data by business need-to-know

What is Supported:
Rights and privileges controls can be administered to the specific roles as assigned to each user account
based upon the permission sets granted at the time of implementation. Every user account is locked to
the functions determined by security policy to then have access limited by the rules of command and
control to insure no unintended information is available to the user.
What is Needed:
It is recommended that the administrator review all roles and establish the accounts in accord with the
security policy in place to be compliant to PCI-DSS guidelines. In the event a user account becomes
inactive the means to expire that account automatically based upon an inactivity period is provided and
this should also be consistent with the practices of PCI-DSS (currently 90 days) Reference IntelliView
User Guide user account management for details)
Example Screen Display of User Account Management Controls

PCI-DSS Requirement: Track and monitor all access to network resources and cardholder
data
What is Supported
All access to the IntelliNAC and IntelliView products is tracked and logged within audit trails established
for this purpose. The activity tracked includes all actions associated to login/logout and activity while in
session with the products including configuration, command and control functions. The logs are time

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 10

stamped for presentation in real time or can be exported in the event of a need to review them during
security audits.
What is Needed:
It is recommended that the logs be exported and archived for the purpose of presentation in the event a
PCI-DSS assessment is in process.
Example Screen showing Audit Log:

IntelliView and IntelliNAC PCI-DSS Best Practices Guide

940657-001 Rev. A00

Page 11