The Payment Card Industry Data Security Standard (PCI DSS), consisting of nearly 400 individual controls, is a critical part of security and compliance for any merchant, service provider, or subservice provider who is involved in handling cardholder data. We find that companies considering PCI are often caught off guard by how comprehensive the PCI DSS is. So, we thought we would help!
CompliancePoint’s PCI blog series will analyze each of the 12 Requirement families. We will outline common challenges our customers face with each requirement, answer some frequently asked questions, and finally, we will provide some pro tips.
The first entry into the PCI blog series is Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Stay tuned for new entries every few weeks!
Why is compliance with PCI DSS important (beyond getting certified)?
It’s particularly important to adhere to the PCI Requirement 1 controls because it is the first line of defense when it comes to cyber-attacks and data breaches.
Payment brands may, at their discretion, fine an organization’s acquiring bank $5,000 – $100,000 a month for PCI compliance violations that come from the merchants they support. The banks will most likely pass this fine along to the merchant. Furthermore, the bank will either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
The cost of a breach of PCI data is about $220 /per data record. Fees include not only additional payments to the bank or card brands in order to accept card payments but also the cost of hiring a forensics investigation team, providing credit monitoring to affected customers, and the loss of brand trust.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
What does this requirement require at a high level?
- PCI DSS Requirement 1 is essentially about maintaining a secure network, primarily focusing on the Firewalls, Routers, and switches that manage the traffic that is allowed to flow in and out of your organization’s network. It’s also about managing the changes that happen to networking devices in that environment, maintaining the documentation, and maintaining the processes continuously. Lastly, it’s about establishing a DMZ (demilitarized zone) and limiting the traffic only to that which is necessary.
Common Challenges & Tips for Success:
- Implement a firewall that can segment the network into three main security areas:
- Internet access: The communication to or from the internet must be limited to the DMZ.
- Internal network (secure network): On this segment, all the devices that store or process confidential information are connected to the internal network. It is important to know that they will never communicate with the internet. These devices can only communicate with the DMZ or other secure internal networks.
- DMZ (Demilitarized zone): All the devices that communicate between the internet and the internal network are located on this network segment.
- Documents to be developed:
- The network and data flow diagram: should be as detailed as possible and should be updated with each change.
- The network control change process: any change on the network must go through a process that controls and authorizes the change.
- The firewall ruleset review process: The revision of the rules must be done to verify all configurations of the device that is part of the scope. It is also important to verify that all changes on the firewall were made through the change control procedure and are verified via the network control change process, stated in the previous point.
- Configuration standard: document the configuration of each of the firewall parameters that verify PCI DSS compliance.
- The Network policy: this policy guarantees compliance with all the principles on which PCI DSS is based to maintain a secure network.
- Good documentation is not the only thing for compliance.
- You have to keep evidence from the actions taken and changes made. Keeping good evidence will make the audit easier and will show in which type and form the tasks are completed.
- When developing procedures, it is important not to forget to identify the evidence that must be generated in each step.
- How do we show evidence that Firewalls were reviewed?
- Firewall reviews can be documented in a Change Management or Service Ticketing system to show the dates, personnel involved, and results of the review.
- Additionally, having a configuration pulled from the firewall or documented rules in a spreadsheet after every review can also show the differences and changes to firewall rules from one six-month period to the next.
- How do we prove these controls in the cloud?
- When it comes to cloud architectures, there are different devices, services, and the inherent nature of the virtual private cloud (VPC) that can help validate the controls in Requirement 1.
- The assessor will look at the cloud architecture’s Network Access Control List (ACL), Security Groups, and the route tables for each in-scope subnet to validate traffic in and out of the network is explicitly authorized for business needs.
- Is network segmentation required?
- No, network segmentation is not a requirement for PCI.
- However, without proper network segmentation, your organization’s entire network comes into scope for PCI because it is not only the systems that store, process, or transmit card data (Tier-1) that are in-scope, but also the Connect-To systems (Tier-2) that potentially have access to communicate with Tier-1 devices.
- The reason Tier-2 devices are in scope is because if a network is breached, an attacker can pivot into systems that touch card data and therefore can affect the security of that data.
The goal of the PCI DSS is to protect the networks and environments that store, process, or transmit cardholder data. Protecting an organization’s network(s) starts with ensuring that the traffic and data flowing in and out of the environment is explicitly allowed and required in order to run the revenue-driving services for your organization. For those considering going down the path of PCI compliance, understanding and documenting all the connections flowing through your organization should be step one.