Welcome to SandStorm IT’s 6-part series about Payment Card Industry Data Security Standard (PCI DSS). In this series, we’ll cover what PCI DSS is and the various requirements:
- Part 1 – What is PCI DSS?
- Part 2- Building and Maintaining a Secure Network (You are here)
- Part 3 – Protecting Data
- Part 4 – Further Protection on Systems (Coming Soon)
- Part 5 – Access Control (Coming Soon)
- Part 6 – Wrap-up (Coming Soon)
No longer is physical entry into an organization’s business required to steal sensitive information. Virtually all theft of sensitive information occurs electronically. By using network security devices, businesses can help prevent access to their customer’s sensitive data.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. Any hardware or software that connects two or more networks is in scope for assessment of Requirement 1 if used within the cardholder data environment.
The PCI DSS Quick Reference Guide summarizes requirement of section 1 as:
- Establish and implement firewall and router configuration standards that formalize testing whenever configurations change, that identify all connections between the cardholder data environment and other networks (including wireless) with documentation and diagrams, that document business justification and various technical settings for each implementation, that diagram all cardholder data flows across systems and networks, and stipulate a review of configuration rule sets at least every six months.
- Build firewall and router configurations that restrict all traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment.
- Prohibit direct public access between the Internet and any system component in the cardholder data environment.
- Install personal firewall software or equivalent functionality on any devices (including company and/or employee owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the cardholder data environment.
A firewall is important to any business. But notice that there is more to it than just having a firewall installed. You must have documentation and diagrams. You must put in standards for your firewall configuration. You must have business justifications for your decisions and technical configuration.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
You wouldn’t believe how many default passwords we come across. It is one of the easiest ways for a hacker to gain access to your internal network. This is like leaving your door unlocked to anyone willing to try and open it.
- Always change ALL vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
- Develop configuration standards for all system components that address all known security vulnerabilities and are consistent with industry-accepted definitions. Update system configuration standards as new vulnerability issues are identified.
- Using strong cryptography, encrypt all non-console administrative access.
- Maintain an inventory of system components that are in scope for PCI DSS.
Summary of Requirements 1 & 2.
So, how do you meet these requirements? You must develop standards and policies around your firewall and its administration. What rules are permitted and what business justification supports those rules. Documentation and diagrams are required. Policies and procedures must be implemented to ensure all default passwords are changed and any configuration you put into place addresses all known vulnerabilities.
Meeting the requirements of PCI DSS is certainly a challenge. You likely need a professional partner, like SandStorm IT, to assist and guide you. If you have any questions or are concerned about your business’s security stance, please call 901-475-0275.