Start Your Own ATM Business
In June 2001, Visa USA implemented the Cardholder Information Security Program (CISP). The goal of CISP was to assure Visa credit card customers that their account information was safe whenever they use their card for a purchase, regardless of whether it's through telephone, across the Internet, through the mail, or in person. In 2004, the CISP requirements were incorporated into a new industry standard called the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is now a requirement by all major credit card companies, including Visa, MasterCard, Discover, Diner's Club, and American Express.
As modern threats have evolved, physical security measures, such as real-time video surveillance, have found many applications beyond traditional uses, including school systems, ATMs, and many workplaces. Video surveillance also offers the ability to perform passive monitoring, recording and reviewing events and providing critical pieces of evidence for locating and prosecuting criminals.
Many devices traditionally have been connected in separate closed networks, such as ATMs and IP video surveillance cameras on closed-circuit TV (CCTV) networks. Many of these devices are migrating to IP networks. But it is still desirable to keep such devices accessible to only authorized personnel.
Increasingly, companies are struggling to comply with a myriad of industry and government regulations stipulating how financial and customer data is handled and protected. Regulations including the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Payment Card Industry (PCI), and Basel II (in Europe) contain specific provisions governing the handling of information. They also specify precautions that companies must take.
We may not want any random employee to be able to access specialized applications and devices such as ATMs and security endpoints. There also could be regulations or laws requiring proper separation of networks during an acquisition, for example.
Today, chief security officers and other executives, including the CEO, are held accountable for their actions by the government and private organizations, even when the organization itself does not hold itself accountable. The Payment Card Industry Data Security Standard is a perfect example, where the combined forces of the major credit card companies have organized to require and enforce a rigid set of standards for protecting their customers'
OTP is a type of two-factor authentication. Two-factor authentication involves using something you have combined with something you know. Automated teller machines (ATMs) use two-factor authentication. A customer needs both an ATM card and a PIN to make transactions. With OTPs, you need a PIN and your token card to authenticate to a device or software application. A token card is a hardware or software device that generates new, seemingly random, passwords at specified intervals, usually 60 seconds. A user combines that password with a PIN to create a unique password that works only for one instance of authentication. If a hacker learns that password by using a packet sniffer, the information is useless because the password has already expired. This mitigation technique is effective only against a sniffer implementation that is designed to grab passwords. Sniffers deployed to learn sensitive information (such as e-mail messages) will still be effective.
Private connectivity means that hosts inside an organization have access to internal hosts only, not Internet hosts. Examples of hosts that require only private connectivity include bank ATM machines, cash registers in a retail store, or any hosts that do not require connectivity to hosts outside the company. Private hosts need to have IP addresses that are unique inside the organization. For this type of connectivity, the IANA has reserved the following three blocks of the IP address space for what are referred to as private internets
This is already starting, as evidenced by some of the newer experiences partners are now having with large financial institutions. At the time of this writing, at least one large institution is looking to pilot IP telephony technologies as an integrated component of their automatic teller machines (ATMs). Part of the thought process is to create an environment where customers using ATMs and running into any kind of difficulty could, at the touch of a button, have either voice or voice video sessions invoked with a representative at the bank's call center. The video angle is being investigated as it lends itself to the security aspects of the solution.
The Cisco network virtualization framework can be used to isolate specialized devices, such as ATMs and manufacturing robots, as well as to provide hosted network services for in-store kiosks Access control uses MAC Auth Bypass (MAB) and static port assignment to map specialized devices (ATMs, IP video surveillance cameras, building HVAC systems, manufacturing robots, hosted entity kiosks, and so on) to private virtual network partitions.
Maintaining a reliable and secure data network is critical to the health of our business. Almost all our business functions in some way rely on the network to complete tasks. In an effort to further secure our network from rogue users, viruses, worms, and other detrimental network activity, we have purchased the Cisco Network Admission Control (NAC) Appliance solution. Additionally, industry and government regulations, such as Payment Card Industry (PCI), the Sarbanes-Oxley (SOX) Act, and the Health Insurance Portability and Accountability Act (HIPAA), are mandating that many of the controls that Cisco NAC Appliance will provide be in place on our network. Cisco NAC Appliance will allow us to control who is allowed on the network, what access rights they will have on our network, and ensure that their PC is running the most up-to-date security software. The following phased deployment plan has been put together to ensure that the rollout of the NAC Appliance solution will not...
Make sure that the hosts on your security management network, and MARS specifically, reside in a protected facility. At the very least, they should be locked in a room that is inaccessible to the public and staff without a specific business need. Ideally, security management resides in a datacenter that exercises strong controls. Staff with access rights to the facility need to have a security badge and need to sign in, either on paper or electronically, before entering. In Chapter 2, the Payment Card Industry (PCI) data security standard has good recommendations that datacenters everywhere should attempt to adhere to, even if your facility is not affected by PCI requirements.