The Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide information security standard created by the PCI Security Standards Council to help organizations that process card payments prevent credit card fraud. 

The standard applies to all organizations that hold, process, or pass cardholder information from any card from Mastercard, Visa, American Express, Discover, JCB or UnionPay.

Compliance with PCI DSS is a shared responsibility between Meter and the Customer. While Meter Network provides robust security features that support PCI DSS requirements, implementation of these features alone does not guarantee compliance. PCI DSS compliance requires a comprehensive program that extends beyond network infrastructure to include policies, procedures, and controls across your entire organization. This document describes how Meter Network's features can support your PCI compliance efforts as part of a broader compliance strategy.

Out of band management

Meter’s out of band control plane separates network management data from user data. Network management data (including configuration, statistics, and monitoring) flows from Meter devices to the Meter cloud over securely encrypted connection. User data does not go to our cloud environment, instead traveling directly to its destination on the local network or the Internet.

Information in the Meter cloud

As part of the Meter cloud management platform, some information needs to be located in the cloud. This information is securely stored in a redundant fashion, and in data centers that are highly available. All communication to and from the Meter cloud is encrypted with SSL. Information stored within the Meter cloud includes:

  • Meter device configurations
  • Traffic statistics
  • Organization and Network administrator credentials

All other information, including voice/data traffic, flows normally within the customer network. It does not traverse or get stored in the Meter cloud.

Foundational for all PCI DSS control requirements

Meter provides a unified networking stack, delivered as a service. As such there is a ‘shared responsibility model’ in which the customer has responsibility for the configuration and monitoring of components of its environment that are not explicitly controlled by Meter.

Meter does not meet the definition of a “service provider” under PCI DSS.

All Meter security policies and operational procedures are documented, kept up to date, in use, and known to all affected parties. Meter collaborates with customer IT management to ensure coordination with the customers' policies and controls. In addition, the delineation of roles and responsibilities between Meter and its customers is clearly documented.

Requirement 1: Install and maintain Network Security Controls (NSCs)

  • Meter defines, implements and maintains all relevant NSCs on the customers’ network.
  • Meter has a clearly defined change control process that integrates with the customers' change control process.
  • The Meter Dashboard provides both the customer and Meter with accurate and up-to-date network connectivity diagrams, including VLANs and device isolation.
  • Meter only enables services, protocols and ports that are expressly required by the customer. In all other instances, Meter implements a "default deny" policy.
  • In the shared security model, it is incumbent upon the customer to implement regular configuration reviews to ensure controls are appropriate and effective for their business purposes. Meter can support this review process and assist in any updates required.
  • Meter configuration files are protected from unauthorized access. In addition, all changes to configurations are securely logged for disaster recovery and security auditing purposes.
  • Meter enables its customers to segment its networks as business needs dictate. This includes restricting traffic to and from specific networks at a very granular level.
  • Internal IP addresses are protected from unauthorized access.

Requirement 2: Apply secure configurations to all system components

  • Meter's configuration standards apply to the Meter devices on the network. Meter's patch and vulnerability management program ensures Meter components are maintained at the most current patch levels. Application of patches is scheduled in coordination with our customers.
  • Meter's systems do not employ default accounts or default passwords. All Meter device passwords are created per device and per customer.
  • Meter only enables services, protocols and ports that are expressly required by the customer. In all other instances, Meter implements a "default deny" policy.
  • System security is configured to prevent misuse. Meter products are regularly tested by external third parties to validate the appropriateness of security configurations.
  • All administrative access is encrypted using industry leading encryption technology.
  • Meter networks can be configured with WPA2-PSK, WPA2-Enterprise, WPA3-Personal, and WPA3-Enterprise, each with their own form of strong encryption.
  • Meter devices do not break TLS encryption; all encrypted data on your Meter Network will remain encrypted from source to destination.

Requirement 3: Protect Stored Account Data (SAD)

  • Meter customer data - including card holder data and SAD - does not traverse and is not stored in the Meter cloud at any time.  
  • Meter networks can be configured with WPA2-PSK, WPA2-Enterprise, WPA3-Personal, and WPA3-Enterprise, each with their own form of strong encryption.
  • Meter devices do not break TLS encryption
  • All encrypted data on your Meter Network will remain encrypted from source to destination. 

Requirement 4: Protect cardholder data with strong cryptography during transmission

  • Meter customer data - including card holder data and SAD - does not traverse and is not stored in the Meter cloud at any time.  
  • Meter networks can be configured with WPA2-PSK, WPA2-Enterprise, WPA3-Personal, and WPA3-Enterprise, each with their own form of strong encryption.
  • Meter devices do not break TLS encryption.
  • All encrypted data on your Meter Network will remain encrypted from source to destination. 

Requirement 5: Protect all systems and networks from malicious software

  • Under the ‘shared responsibility model’, customers are responsible for maintaining appropriate anti-malware and anti-phishing solutions on their networks. 
  • Meter ensures protection of its network components.

Requirement 6: Develop and maintain secure systems and software

  • Meter has a robust Secure Development Lifecycle (SDLC) that is:
    • based on industry standards and best practices
    • enforces secure authentication and logging
    • includes information security reviews in each development stage
  • Meter Engineering staff are required to be trained at least annually in secure software development topics such as the OWASP Top 10.
  • Automated and manual code security and vulnerability tests are performed before Meter software is released into production.
  • At Meter, code reviews are performed by staff who are independent of the code author. Management must approve software updates before they are released into production.
  • Meter software engineers are trained to prevent the introduction of common security flaws. 
  • Meter monitors multiple sources for vulnerability information. We employ robust hardware and software auditing controls to identify and address any vulnerabilities in our systems. Identified issues are risk ranked to identify issues that may be critical or high risk and addressed accordingly.
  • All firmware updates, including those with critical or high-security patches/updates, are installed within one month of release.
  • Meter ensures customers are informed of system changes before they are implemented.
  • In the shared security model, it is incumbent upon customers to validate that the PCI controls they manage are still operating as designed after changes have been deployed.
  • Non-production and production environments are separated at Meter, requiring different access credentials.
  • Meter removes all test data and test accounts before components are promoted to production.
  • Meter regularly maintains an inventory of software utilized in its products.

Requirement 7: Restrict access to system components and cardholder data by Business Need to Know
Requirement 8: Identify users and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data

  • In the shared responsibility model, managing both logical and physical access control in the customer environment is the responsibility of the customer.  
  • Customer data never traverses the Meter network management plane.
  • Meter devices do not break TLS encryption; all encrypted data on your Meter Network will remain encrypted from source to destination.

Requirement 10: Log and monitor all access to system components and cardholder data

  • Customer data - including card holder data - remains encrypted and never transits the Meter control plane.
  • Meter creates logs that can be used to investigate potential events on the network, including:
    • connection, disconnection
    • authentication attempts
    • bandwidth usage
    • administrator logins
    • configuration changes
  • Meter systems are configured to rely upon industry standard time-synchronization technology and sources.

Requirement 11: Test security of systems and networks regularly

  • In the shared responsibility model, customers are responsible for penetration testing and for scanning their environments for vulnerabilities.
  • Meter performs regular third-party penetration testing of all its critical systems and components.
  • The Meter Dashboard provides both the customer and Meter with accurate and up-to-date network diagrams of the entire customer network managed by Meter, including authorized and unauthorized Wi-Fi access points.
  • Meter delivers major firmware/software releases quarterly and patch releases monthly or as needed for any critical issues.
  • Meter regularly monitors its equipment and customer networks for vulnerabilities.

Requirement 12: Support information security with organizational policies and programs

  • While this is a customer responsibility in the shared responsibility model, Meter has clearly documented security and operational policies. Meter collaborates with customer IT management to ensure coordination with the customers' policies and controls.