PCI DSS stands for Payment Card Industry Data Security Standard. This is a security standard in place, which outlines some of the steps that businesses are obligated to take to protect data.
This includes many layers of security, from using a VPN like NordVPN to installing a firewall. You also need to document everything effectively. If you don’t, you could find yourself facing large fines should a data breach occur.
Below, I will take you through some of the main requirements. This will help you to get a better understanding of the comprehensive security plan you need to establish and implement. This is by no means an exhaustive list; it just covers some of the main areas. Please refer to the PCI DSS Guide in full.
Table of Contents
PCI DSS Requirement – Install & Maintain A Firewall Configuration
The PCI DSS outlines numerous requirements that all merchants must follow in order to ensure compliance. The first step is to protect cardholder data by installing and maintaining a firewall configuration. We are going to talk you through what this entails and how our service helps.
This requirement is actually the most technically challenging of all of the PCI DSS standards. Installing and maintaining a firewall configuration may sound simple on the surface, but there is a lot that is entailed in this requirement, as you will discover below.
What does PCI expect when it comes to installing and maintaining a firewall configuration?
The first thing you need to do is establish and install router and firewall configuration standards, which must consist of all of the following:
- A formal procedure for the testing and approval of all network connections and alterations to router and firewall configurations.
- A diagram that identifies all networks, network devices, and systems components. This diagram must include connections between the Cardholder Data Environment (CDE) and all other networks, with wireless networks included.
- You also need a diagram that shows cardholder data flows across all of your networks and systems.
- For each Internet connection, there must be a firewall. This also applies between any demilitarised zone (DMZ) and the internal network zone.
- To manage network components, you need a description of all groups, roles, and responsibilities.
- Business justification and documentation are required in regards to the utilisation of all permitted services, ports, and protocols as well as any security measures that are used for insecure protocols.
- You must review all router and firewall rule sets every six months minimum.
Understanding this requirement:
What you must recognize is that both routers and firewalls play a crucial role when it comes to network entry and exit points. They will grant authorized network access and block unwanted access, and this highlights why it is imperative to have firewalls and routers implemented. Points a-g are essentially PCI’s guidelines for the steps that need to be taken in order to ensure this first line of defense is as strong as it needs to be.
So, let’s take a look at how to implement points a-g:
- Formal testing/approval process – This is vital because it helps prevent security problems that arise due to misconfiguration of the network, firewall, or router. You must ensure that only authorized users (with a password) are permitted to make any changes and that these alterations are recorded and retained.
- Diagram identifying networks, network devices & systems components – These diagrams describe network configuration and can be used to identify all network device locations. Without it, devices may be unknowingly left out of security controls, which can pose a severe risk. You should automatically generate and update network diagrams.
- Cardholder data flow diagram – This identifies the location of all cardholder data within the network. This allows you to manage data more effectively.
- Firewalls for all Internet connections – This reduces the chances of a malicious individual getting into your network via an unprotected network because access is monitored and controlled more effectively. Ensure a PCI compliant firewall is installed for each Internet connection, as well as between any DMZ and the internal network zone.
- Description of all groups, roles, and responsibilities – This ensures that all personnel is aware of who is responsible for what. These roles can be managed via a centralized management system.
- Documentation and business justification for all permitted services, ports, and protocols – This allows you to remove or disable all other protocols, ports, or services.
- Review router and firewall ruleset every six months – Constant updating is required to continually meet PCI DSS standards.
You must also build router and firewall configurations that limit connections among CDE system components and untrusted networks. This involves:
- Traffic must be restricted, both inbound and outbound so that the Cardholder Data Environment only contains what is necessary. All other, unrelated traffic must be segregated.
- Router configuration files must be secured and synchronized.
- Control traffic by installing perimeter firewalls between the CDE and all wireless networks. Configure these firewalls to permit authorized traffic only between the CDE and wireless environment.
Understanding this requirement:
Step two involves achieving the correct firewall configuration so that it functions correctly and controls network traffic in a safe and effective manner. You need to ensure that network protection is installed between the internal, trusted network and any external, untrusted networks. If you don’t do this, you are vulnerable to an attack.
- Restrict inbound and outbound traffic – This is necessary to ensure any malicious attackers do not gain access to your network through the use of services, ports, or protocols in an unauthorized manner or via unauthorized IP addresses. Achieve this through creating a Cardholder Data Environment whereby all inbound and outbound traffic is denied except payment transactions.
- Secure and synchronize router configuration files – Start-up configuration files are often overlooked due to their infrequent use. However, if they are not updated with the same secure settings, then a cybercriminal may find a way in.
- Install perimeter firewalls between all wireless networks and the CDE – Malicious individuals often exploit wireless technology to access card details. This is why firewalls are needed to restrict access from wireless networks to the Cardholder Data Environment.
Direct public access between any CDE system components and the Internet must be prohibited. To do this, you must:
- Inbound traffic must be limited to system components that supply authorized publically accessible services, protocols, and ports. Implement a DMZ to achieve this.
- Within the DMZ, inbound Internet traffic must be limited to IP addresses.
- Direct connections between the CDE and Internet, whether inbounded or outbound, must be prohibited.
- You must detect and block any forged source IP addresses so that they cannot enter the network. Implement anti-spoofing measures to achieve this.
- Unauthorized outbound traffic from the CDE to the Internet should not be allowed.
- ‘Established’ connections should only be allowed into the network.
- Any system components that store cardholder data must be segregated from the DMZ and other untrusted networks and instead placed in an internal network zone.
- Routing information and private IP addresses must not be disclosed to unauthorized parties.
Understanding this requirement:
The previous two steps have focused on the protection offered by firewalls. The firewall essentially protects the connections from the public systems to the CDE. However, all of this will be completely worthless if you allow direct access between public systems and the CDE.
- Implement a DMZ – This manages connections between the Internet and services that businesses need to have available to the public. This will stop cybercriminals from using the Internet to access your internal network. Limit all traffic to ensure you’re compliant.
- Limit inbound traffic to IP addresses in the DMZ – This ensures no one unauthorized has access. Prohibit direct connections between the Internet and the CDE – This stops unfiltered access from occurring between trusted and untrusted environments. Therefore, let’s say a cybercriminal obtains sensitive information; they will be unable to send it from your network to an untrusted, external server. You can achieve this by denying all inbound and outbound traffic except payment transactions.
- Implement anti-spoofing measures – Malicious attackers often try to imitate an IP address so you believe it is coming from your own network. Measures must be in place to stop this.
- Prohibit unauthorized outbound traffic from the CDE to the Internet – You must control traffic so that only authorized communications are allowed. You can do this by denying all inbound and outbound traffic apart from payment transactions.
- Only allow established connections into the network – You need a firewall that performs a stateful packet inspection. This involves maintaining each connection’s status through the firewall so you know if a response is authorized or a cybercriminal is trying to trick the firewall so they can find a way in.
- Segregate system components that store cardholder data from the DMZ – There are fewer layers for cybercriminals to penetrate if cardholder information is stored within the DMZ. This makes it easier for them to gain access. Cardholder data needs to be within a segregated network.
- Routing information and private IP addresses must not be disclosed to unauthorized parties – You must ensure private IP addresses are disclosed, otherwise a hacker may discover what the IP address is and gain access to your network. Require all users to log in, ensuring authorized disclosure from an administrator at each location, and you should prohibit routing protocols and advertisements.
Personal firewall software must be installed on any employee-owned devices and mobiles that connect to the Internet when used to access the network or outside the network.
Understanding this requirement:
A personal firewall is needed to protect mobiles and employee-owned devices from an Internet-based attack. This is imperative, as these devices are more susceptible to breaches because they are outside the corporate firewall, and so they become prime targets for hackers. Therefore, if your employees use their laptops for work purposes and connect when they are outside the network it is your responsibility to ensure they have personal firewall software installed.
Operational procedures and security policies for managing firewalls must be documented and known to all parties that are affected.
Understanding this requirement:
To ensure you continue to prevent unauthorized network access you must manage the policies and procedures that are in place in regards to firewalls and routers, ensuring they are well documented and updated.
PCI DSS Requirement – Don’t use vendor-supplied defaults for system passwords & additional security parameters
To achieve PCI DSS compliance, section two states that you must change any vendor-supplied defaults, without exception. This is applicable to all default passwords, including those used by Point-of-Sale (PoS) terminals, application accounts, operating systems, and much, much more.
What does PCI expect when it comes to avoiding all vendor-supplied defaults?
As already briefly touched upon, you need to ensure you change vendor-supplied defaults, and you must disable or remove any unrequired default accounts. There are no exceptions to this rule – each and every password and security parameter must be changed.
When it comes to all wireless environments that transmit cardholder information or connect to the cardholder data environment (CDE), you must alter all wireless vendor defaults at installation. This includes the likes of default SNMP community strings, passwords, and wireless encryption keys.
Understanding this requirement:
Default settings are often published and well known in hacker communities. This makes your system more vulnerable, as malicious individuals could easily gain access through using default passwords, account names, settings, and such like, and, therefore, by changing all defaults you effectively restrict access.
In regards to changing all wireless vendor defaults, this is vital because if you fail to do so a cybercriminal could easily enter your network and attack it. This occurs since most wireless networks are implemented without adequate security configurations in place, which gives hackers the opportunity to capture data and passwords by eavesdropping on traffic.
The next requirement involves the development of configuration standards for all of your system components. All known security vulnerabilities must be addressed, and they must be consistent with industry-accepted system hardening standards. To do this, you must follow the steps below:
- There must only be one primary function implemented for each server. This is imperative to ensure that servers that need varying levels of security do not coexist on the same server.
- Only protocols and services that are necessary for the function of the system must be enabled.
- For any required protocols or services that are considered insecure, you must implement added security features.
- Prevent misuse through the configuration of system security parameters.
- Unnecessary functionality must be removed, including the likes of unnecessary web servers, file systems, subsystems, features, drivers, and scripts.
Understanding this requirement:
PCI has implemented this requirement to combat the many known weaknesses that come with enterprise applications, databases, and operating systems. While there are vulnerabilities, there are also ways of fixing them, and steps a-e are provided to ensure your business deals with any weaknesses in your system
So, let’s take a look at the five points mentioned here:
- Implement one primary function per server – If you have two server functions, and they are located on the same server yet require different security levels, one of the server functions will be compromised. This is because the needs of the higher-security functions will be lowered as a result of the presence of the lower-security functions.
- Enable necessary protocols and services only – There are many protocols that provide malicious insiders with an easy way of compromising a network. Therefore, PCI has implemented this requirement to ensure that businesses only enable protocols and services that are necessary to reduce the risk of an attack.
- Implement added security features for insecure protocols and services – If you enable security systems prior to new servers being deployed, you can ensure that they aren’t installed in an environment with insecure configurations. Additional security features will also reduce the chance of a breach because hackers will not be able to capitalize on the network’s commonly used points of compromise.
- Configure system security parameters – This is pivotal to avoid misuse, and you can achieve this through a variety of methods, including role-based authorization, template-based firewall rules, and secure audit logs.
- Remove unnecessary functionality – This requirement ensures that malicious individuals do not have any added opportunities to compromise your system.
You must use strong cryptography to encrypt all non-console administrative access.
Understanding this requirement:
Without encrypted communications and secure authentication, a hacker could easily steal information with the purpose of accessing the network, becoming an administrator, and ultimately, stealing data.
This step requires you to maintain an inventory of system components. This must include all components that are in the PCI DSS scope.
Understanding this requirement:
If you do not adhere to this requirement, you may forget system components, and, therefore, they may be excluded from your configuration standards.
Document all operational procedures and security policies for managing vendor defaults, as well as other security parameters.
Understanding this requirement:
Step five has been designed to prevent insecure configurations by ensuring that all personnel follows the daily operating procedures and security policies that are in place.
Shared hosting providers must protect each entity’s cardholder data and hosted environment.
Understanding this requirement:
If multiple clients are hosted on the same server via a hosting provider, then one client may compromise another’s data by adding insecure scripts and functions. This requirement is designed to combat this.
PCI DSS Requirement – The transmission of cardholder data must be encrypted across all open, public networks
This section of the PCI DSS requirements is designed to ensure you have strong encryption controls in place whenever cardholder data is transmitted. This is designed to stop cybercriminals from intercepting or diverting data when it is in transit.
To safeguard cardholder data while in transit over open, public networks, you must use security protocols and strong cryptography. Some common examples of open, public networks include satellite communications, wireless technologies, and the Internet.
Moreover, to ensure the implementation of strong encryption for transmission and authentication, you need to use the best industry practices when wireless networks are either connected to the cardholder data environment (CDE) or transmitting cardholder data.
Understanding this requirement:
This requirement is imperative because data in transmission over open, public networks are vulnerable to interception from malicious individuals.
The second part of step one, concerning wireless networks, is essential because cybercriminals often eavesdrop on wireless communications via tools that are free and widely available. By using the best industry practices, you can stop this from occurring.
You should never use end-user messaging technologies to send unprotected PANs. Prime examples of end-user messaging technologies include instant messaging and e-mail.
Understanding this requirement:
This requirement has been put in place because end-user messaging technologies can be intercepted with ease. You simply need to make sure you do not utilize these tools when sending PAN.
Document all operational procedures and security policies for encrypting transmissions of cardholder data. Ensure that these procedures and policies are known to everyone that is impacted by them.
Understanding this requirement:
This requirement is imperative to ensure continual effective management of the secure transmission of cardholder data.
PCI DSS Requirement – Develop and maintain secure applications and systems
PCI DSS compliance is a continual process, and this requirement involves the development and maintenance of secure applications and systems. The purpose of this is to make sure you are kept up to date with any vulnerabilities that could have an impact on your environment and pose potential problems. From security checks to updates, there are many ways to fulfill your obligations.
The first step involved when achieving this PCI DSS requirement is establishing processes for the identification of any security vulnerabilities. To do this, a risk ranking system must be put in place for any newly discovered vulnerabilities, which will be dependent on your risk assessment strategy and environment.
Understanding this requirement:
This requirement has been established because your organization will be open to new vulnerabilities if you do not stay up to date with all potential risks. Conduct weekly checks on security services to ensure any new vulnerabilities are picked up on imminently.
Install vendor-supplied security patches to protect all software and systems from known vulnerabilities.
Understanding this requirement:
One of the biggest threats to businesses is the continual stream of attacks using exploits that are broadly published. Step two is, therefore, devised to ensure that malicious individuals do not capitalize on these exploits to disable or attack your system. Using the most recent security patches can combat all known vulnerabilities.
All external and internal software applications must be developed securely. This requirement is broken up into a number of steps –
- Before applications are released to customers or become active, you must remove passwords, user IDs, custom application accounts, development application accounts, and test application accounts.
- Prior to release, review the custom code to identify any possible coding vulnerabilities.
Understanding this requirement:
This requirement has been put into place because security vulnerabilities can be maliciously or inadvertently be introduced if security is not included during the requirements definition, design, analysis, and testing phases of software development. Let’s take a look at step ‘a’ and ‘b’ in further detail below.
- Remove passwords, user IDs, custom application accounts, development application accounts, and test application accounts – These items need to be removed so that information regarding the application’s functioning is not given away.
- Review the custom code to identify any possible coding vulnerabilities – This step is important because malicious individuals often exploit security vulnerabilities in custom code in order to gain access to a network and compromise data.
When changes to system components are made, you must follow change control procedures and processes, which are outlined in the steps below:
- Access controls must be used to separate test/development environments from production environments.
- Duties must be separated between product environments and test/development environments.
- You should not utilize live PANs/production data for development or testing.
- Before production systems become active, you must remove test accounts and data.
- For software modifications and the implementation of security patches, you must change control procedures. See below:
- Document impact.
- Document the approval of the change by authorized parties.
- Verify that the change will not have an adverse effect on system security through functionality testing.
- Back-out procedures.
Understanding this requirement:
This part of PCI compliance is imperative because all of the following could occur if change controls are not implemented and documented correctly – malicious code could be introduced, processing irregularities could appear, and security features could either be rendered inoperable, deliberately omitted, or inadvertently omitted. Let’s take a look at the steps mentioned above in more detail:
- Separate test/development environments from production environments – This is necessary because development and test environments are not usually as secure as protection environments.
- Separate duties between production environments and test/development environments – This step will minimize risk because access to the CDE and production environment will be restricted.
- Don’t use live PANs/production data for development or testing – This is crucial because live PANs could give cybercriminals a way in since security controls do not tend to be as rigorous in development or test environments.
- Before production systems become active, remove test accounts and data – If you don’t remove test data and accounts, you may give away information about the application or system’s functioning.
- For software modifications and the implementation of security patches, you must change control procedures – Security issues can occur when security patches and software modifications are not managed properly.