In our previous blog post, Surviving the Year of the Hack, we noted that many technology pundits had coined 2014 as “the year of the hack,” citing Target and Neiman-Marcus as high profile victims of data breaches. Since then, JPMorgan Chase, eBay, P.F. Chang’s and Goodwill Industries International have joined the list of organizations that have successfully been hacked. In most cases, these companies were not in full compliance with the Payment Card Industry Data Security Standard (PCI DSS) at the time of the breach.
A lack of manpower and resources are often major obstacles striving to achieve PCI compliance. A dedicated compliant hosting solutions provider can help organizations create and deploy effective, defensible PCI compliance programs. In the meantime, here are four key components you can address in Requirement 1: “Install and maintain a firewall configuration to protect cardholder data” to help you establish a high standard for security and PCI compliance.
1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.
Auditors are requiring organizations to demonstrate that they have a clearly defined, enforceable change process for firewall policies. During an audit, they may ask to see a change report and accompanying audit trail. If your change process is hastily scribbled on a white board, take the time to create a formal, automated change process.
1.15 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols or ports include, but are not limited to FTP, Telnet, POP3, IMAP and SNMP.
Here, the auditor is focusing on three main security risks:
- Which connections are required for business
- Is your firewall allowing only connections that are required for business
- If any of these connections are insecure, what compensating controls are in place
Most organizations don’t have an up-to-date list of services that are required for business. If you fall into that category, take the time to list out each service, ensuring you can justify them from a security perspective.
1.1.6: Requirement to review firewall and router rule sets at least every six months.
Have a report that shows rule sets were reviewed; any questionable rules from the last audit have been addressed and any changes to rules since the last audit have been dealt with properly. Approximately one-third of companies fail to provide the required documentation due to poor processes – yet another reason to establish them.
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
Here the auditor is looking for a set of rules that permit specific PCI services (approved known protocols used by the PCI servers) followed by an explicit drop rule for other traffic. It is important to make sure you’re on the same page as the auditor regarding the contents of PCI services and PCI zones. Be ready to prove that your organization has an active alerting mechanism to prevent non-compliant changes.
1.3.2 Limit inbound internet traffic to IP addresses within the DMZ (demilitarized zone)
Once again, be sure your definitions of Internet traffic and accessible IPs within the DMZ align with the auditor’s. Did we mention having an active alerting mechanism to prevent unauthorized traffic is essential here?
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.
Make sure you can properly define the “Internet” and “cardholder data” environments – and that the auditor agrees with your definitions. The next step is to prove that there is no direct access between these two entities.
Yes, there are several more components to Requirement 1. And a compliant hosting solutions provider such as HOSTING can help you check off all of them. If you need help navigating the PCI compliance requirements, contact us today. Our dedicated, in-house team of compliance experts stands ready to help.