This will be the first blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through the process of becoming compliance with the PCI Data Security Standard.
I like to call this requirement the Defending of the Wall. It focuses on the protection of the cardholder data environment (CDE) perimeter and not letting the bad guys in to steal cardholder’s data.
Let’s start with an overview. PCI DSS Requirement 1 states that the entity must “Install and maintain a firewall configuration to protect cardholder data.” This seems straight forward, make sure you have a firewall within your CDE and configure it in a way to protect access in and out of that environment. In other words, build walls around your CDE castle to protect anyone from getting in. This requirement focuses on the firewalls, routers, the personnel responsible and the proper configuration and documentation of these devices.
Companies that require PCI Compliance face some challenges within this requirement. Here are 3 examples of common challenges that we see related to PCI Requirement 1:
Clients do not have defined standard configurations set for devices within their CDE. This turns into a documentation process for the IT group responsible for these key devices. Policies need to be created and procedures to support them need to be defined. These policies then need to be added to the annual review cycle along with the other numerous other policies required.
Firewall rules need to be reviewed every 6 months. This is one of the most overlooked items within Requirement 1 and creates different challenges for the personnel responsible. This becomes a larger challenge when the firewall in use to protect the CDE also protects the entity’s other networks as well.
Companies need to have a network diagram and a data flow diagram of cardholder data. Not only do these diagrams need to be created, they need to be updated as parts of the CDE change. This too adds another documentation task that tends to be frowned upon when delegated to the group responsible.
These challenges add more to the plate of the personnel responsible but should be viewed as a benefit to the overall IT Security posture of the company. Having the documentation in place not only supports the PCI Compliance of the company but ensures that this critical information isn’t just stored in someone’s brain. Being aware of these challenges is a solid step in construction of the walls you need to protect your CDE and comply.
These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. This is why we created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!
Stay tuned for the beginning of February where we will cover PCI Requirement # 2 - The Use of Vendor Supplied Defaults