PCI DSS Implementation Guide
3 The 12 requirements of PCI DSS PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. These requirements are broken down into 12 areas and we will consider each one in turn.
3.1 Requirement 1: Install and maintain a firewall configuration to protect cardholder data Relevant Toolkit Documents: • • • • • •
Network Security Policy Configuration Standard Network Diagram Example Cardholder Data Flow Diagram Example Mobile Device Policy Information Security Policy
Firewalls are essential devices that are necessary to ensure traffic flow between networks is controlled. Traditionally, firewalls were used to protect a perimeter network but it’s more common today to have segmented internal networks with firewalls controlling the traffic between them. PCI DSS recommends that you segment your CDE network to ensure cardholder data is protected. This requirement ensures there is a best practice approach to firewall security with well documented policies, procedures and configuration standards in place. This requirement talks about ensuring a firewall and/or router are established and implemented within your organization with appropriate configuration standards in place. The main reason behind this is to provide a documented list consisting of build configuration, services installed and firewall rules. This provides you with a document to justify why a firewall or router is built in a certain way which can be used as the basis of a review against any specific firewall or router to validate its integrity. Formal processes must also be in place for effective change management. Well thought-out firewall configurations are also part of this requirement to protect the cardholder data. Configurations include those to restrict connections from untrusted networks to the network where cardholder data is present, to restrict all traffic that is not necessary for the cardholder data environment, to implement anti spoofing measures, and to implement a DMZ (Demilitarized Zone). Installing personal firewall software (or equivalent functionality) is also applicable to this requirement when using portable computing devices in and outside the Cardholder Data Environment. This provides additional protection to the cardholder data when the portable device is outside of the CDE and is not protected by a corporate firewall or router. This personal firewall must always be active and must not be alterable by users of the portable computer. Finally, it is required that all security policies and procedures for managing firewalls and routers are documented, in use and known to all affected parties.
Page 9 of 21
