SandStorm IT

Power On

  • Services
    • Managed IT Services
    • Servers & Networks
    • Business Computers & Support
    • Cloud Services & Data Backup
    • Custom Software Development
    • VoIP Telephone Solutions
    • Custom Web Design
    • Disaster Recovery Solutions
    • Security & Compliance
    • IT Consulting
  • Technologies
  • Pricing
  • Work
  • About
    • Our History
    • Our Team
    • Careers
    • Press
  • Blog
  • Contact
    • (901) 475-0275
  • Help Me

Guide to PCI DSS – Part 2: Building and Maintaining a Secure Network

February 23, 2021 By Justin Oliver

Welcome to SandStorm IT’s 6-part series about Payment Card Industry Data Security Standard (PCI DSS). In this series, we’ll cover what PCI DSS is and the various requirements:

  • Part 1 – What is PCI DSS?
  • Part 2- Building and Maintaining a Secure Network
  • Part 3 – Protecting Data (Coming Soon)
  • Part 4 – Further Protection on Systems (Coming Soon)
  • Part 5 – Access Control (Coming Soon)
  • Part 6 – Wrap-up (Coming Soon)

No longer is physical entry into an organization’s business required to steal sensitive information. Virtually all theft of sensitive information occurs electronically. By using network security devices, businesses can help prevent access to their customer’s sensitive data.

 

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Any hardware or software that connects two or more networks is in scope for assessment of Requirement 1 if used within the cardholder data environment.

 

The PCI DSS Quick Reference Guide summarizes requirement of section 1 as:

  • Establish and implement firewall and router configuration standards that formalize testing whenever configurations change, that identify all connections between the cardholder data environment and other networks (including wireless) with documentation and diagrams, that document business justification and various technical settings for each implementation, that diagram all cardholder data flows across systems and networks, and stipulate a review of configuration rule sets at least every six months.
  • Build firewall and router configurations that restrict all traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment.
  • Prohibit direct public access between the Internet and any system component in the cardholder data environment.
  • Install personal firewall software or equivalent functionality on any devices (including company and/or employee owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the cardholder data environment.

 

A firewall  is important to any business. But notice that there is more to it than just having a firewall installed. You must have documentation and diagrams. You must put in standards for your firewall configuration.   You must have business justifications for your decisions and technical configuration.

 

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

You wouldn’t believe how many default passwords we come across. It is one of the easiest ways for a hacker to gain access to your internal network.  This is like leaving your door unlocked to anyone willing to try and open it.

  • Always change ALL vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
  • Develop configuration standards for all system components that address all known security vulnerabilities and are consistent with industry-accepted definitions. Update system configuration standards as new vulnerability issues are identified.
  • Using strong cryptography, encrypt all non-console administrative access.
  • Maintain an inventory of system components that are in scope for PCI DSS.

 

Summary of Requirements 1 & 2.

So, how do you meet these requirements?  You must develop standards and policies around your firewall and its administration. What rules are permitted and what business justification supports those rules. Documentation and diagrams are required. Policies and procedures must be implemented to ensure all default passwords are changed and any configuration you put into place addresses all known vulnerabilities. 

 

Meeting the requirements of PCI DSS is certainly a challenge. You likely need a professional partner, like SandStorm IT, to assist and guide you. If you have any questions or are concerned about your business’s security stance, please call 901-475-0275.

Related Posts

  • Guide to PCI DSS - Part 1: What is PCI DSS?
  • Are you still on a workgroup network?
  • Wireless Access Points versus Wireless Network Repeaters
  • 5 Reasons Why Your Business Needs an Awesome WiFi Network
  • What does the 5G network mean for me?

Categories: Business, Cybersecurity

Subscribe to Our Newsletter

Check your inbox or spam folder now to confirm your subscription.

SANDSTORM IT BLOG

Featured
News
Press Releases
SandStorm News
Security Alerts & Vulnerabilities
Managed Services
Managed Anti-Virus/Anti-Malware
Managed Backups & Monitoring
Updates/Patches
Passwords
Cybersecurity
Spyware/Malware/Viruses
Social Engineering/Phishing
Ransomware
Data Breaches/Leaks
Other
Servers
Server & Server Hardware
Cloud/Serverless Computing
Server Operating Systems
Networking
Wired Networking
Wireless/Wi-Fi
Internet of Things (IoT)
5G & Mobile Networking
Business
General Business
Enterprise Resource Planning (ERP)
Voice & Telephony
Backups & Business Continuity
On-Site Backups
Cloud Backups
DR/BCM Planning & Consulting
Personal Computing
Tips/Tricks/Shortcuts
Troubleshooting
Hardware & Peripherals
Desktop Operating Systems
Software & Applications
Office Applications
Desktop Software
Email Software and Applications

Authors

Authors
Doyle Sanders
Jake Sanders
Jordan Sanders
Justin Oliver
Matt Ballard
Robert Cleveland
Cristian Colón
Jacob Ellis
Jeff Fowler
Miker Irick
Curtis Mayo
Josh Restuccio
Lindsey Sanders
Matthew Stafford
Josh Yarbrough

Give Us a Call

(901) 475-0275
61 Atoka-McLaughlin Dr.
Atoka, TN 38004

About SandStorm IT

SandStorm IT is a team of committed professionals who are dedicated and excited to solve your technology needs.  We accomplish this through understanding your business and then applying the appropriate technology solutions to meet the needs.

Our breadth of experience with information technology covers a range of diverse skill sets such as server setup and configuration, network and firewall solutions, VoIP telephone systems, web and database hosting, custom web application programming, mobile development, and IT security practices and policies.

SandStorm IT has the desire, expertise, and commitment to bring your vision to life.

  • Services
  • Technologies
  • Pricing
  • Work
  • About
  • Blog
  • Contact
  • Help Me
Authorized Solution Provider