PCI Requirement 1
Install and Maintain a Firewall Configuration
Welcome to PCI Requirement 1. Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data? If so, this is a great place to be introduced to the PCI DSS. In these videos, you will learn why the PCI DSS was developed, who participates in the PCI environment, what the 12 PCI DSS requirements are, and what the foundational elements of a PCI DSS engagement are.
PCI Requirement 1 focuses on installing and maintaining a firewall configuration in order to protect cardholder data. To comply with PCI Requirement 1, you’ll need to understand several aspects of firewall configuration. Our video resources outline change control programs, how to maintain network documentation, how to establish and maintain a secure firewall, what a DMZ is and how to segregate it from the Cardholder Data Environment (CDE), the roles and responsibilities of network management, inbound and outbound traffic rules, anti-spoofing measures, and more. Understanding these aspects of firewall configuration are vital when trying to protect your cardholder data. Click on a video below to get started with PCI Requirement 1.
Introduction to PCI DSS
This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant.
The 12 PCI DSS Requirements
This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organization needs to do to become compliant.
Establishing the Scope of Your Cardholder Data Environment
Properly scoping your environment is the most important initial step of becoming PCI compliant. The scope of the Cardholder Data Environment (CDE) determines the extent to which all PCI DSS controls must be in place. Errors in scoping can lead to serious consequences, so it’s important to define an accurate scope before beginning your PCI DSS audit.
Policies, Procedures, and Standards
We find that most organizations struggle with the documentation aspect of a PCI assessment. Established best practice states, "If it's not written down, it's not happening." Organizations need documented policies, procedures, and standards to control risks to business assets, but to also have a common understanding and language to create consistency among the culture of your organization.
Introduction to PCI DSS Requirement 1
The Payment Card Industry Data Security Standard (PCI DSS) was jointly developed by the payment card brands to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. If you are a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data, you are subject to comply with the PCI DSS.
PCI DSS Requirement 1.1.1: Implementing a Change Control Program
Your organization needs to ensure that you have the appropriate methods to control any changes into and out of your environment. Learn more about PCI DSS Requirement 1.1.1: Implementing a Change Control Program.
PCI DSS Requirement 1.1.2 and 1.1.3: Network Documentation
PCI DSS Requirements 1.1.2 and 1.1.3 are all about maintaining network documentation. Network documentation consists of two things: a network diagram and a data flow diagram. Learn more about PCI DSS Requirement 1.1.2 and 1.1.3: Network Documentation.
PCI DSS Requirement 1.1.4: Establishing a Firewall and DMZ
PCI DSS Requirement 1.1.4 requires “a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network zone.” Click here to learn more about PCI DSS Requirement 1.1.4: Establishing a Firewall and DMZ.
PCI DSS Requirement 1.1.5: Defining Roles and Responsibilities for Managing Network Components
It’s not enough that you have a network set up with established policies, procedures, and processes. You also need to ensure that you have someone within your organization that has the formal responsibility of managing the network. Watch this video to learn more about PCI DSS Requirement 1.1.5.
PCI DSS Requirement 1.1.6: Documentation of Business Justification and Approval
What is PCI Requirement 1.1.6? Your organization needs to restrict inbound and outbound traffic in and out of sensitive environments. PCI DSS Requirement 1.1.6 relates specifically to the documentation of business justification and approval for use of all services, ports, and protocols.
PCI DSS Requirement 1.1.7: Review Firewall and Router Rule Sets
What is PCI Requirement 1.1.7? There are several sub-requirements under the umbrella of Requirement 1. PCI Requirement 1.1.7 states, “review firewall and router rule sets at least every six months.” Watch this episode to learn more about PCI DSS Requirement 1.1.7.
PCI DSS Requirement 1.2: Restrict Connections to Untrusted Networks
PCI Requirement 1.2 states, “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.” Watch this episode to learn more about PCI DSS Requirement 1.2.
PCI DSS Requirement 1.2.1: Restrict Traffic to that which is Necessary
PCI DSS Requirement 1.2.1 focuses around organizations developing policies and procedures that restrict traffic to that which is absolutely necessary, both inbound and outbound, for business purposes. PCI Requirement 1.2.1 states, “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” The goal of PCI Requirement 1.2.1 is to limit traffic to only essential, required protocols, ports, or services and have business justification for those required elements.
PCI DSS Requirement 1.2.2: Secure and Synchronize Router Configuration Files
What is PCI Requirement 1.2.2? This requirement focuses on enforcing the security and controls surrounding your organization’s firewall and router configurations. Watch this episode to learn more about PCI DSS Requirement 1.2.2.
PCI DSS Requirement 1.2.3: Install Firewalls Between all Wireless Networks and the CDE
What is PCI Requirement 1.2.3? Requirement 1.2.3 requires that organizations install perimeter firewalls between all wireless networks and the Cardholder Data Environment. So, what exactly does that mean? Watch this episode to learn more about PCI DSS Requirement 1.2.3.
PCI DSS Requirement 1.3: Examine Firewall and Router Configurations
Requirement 1.3 focuses on ensuring that you prohibit direct public traffic from the Internet into the Cardholder Data Environment (CDE). If the protections put in place are bypassed, your system could be compromised. Watch this episode to learn more about PCI DSS Requirement 1.3.
PCI DSS Requirement 1.3.1: Establishing a DMZ
PCI DSS Requirement 1.3.1 requires that you, as an organization, develop and implement a DMZ, otherwise known as a demilitarized zone. Watch this episode to learn more about PCI DSS Requirement 1.3.1 and Establishing a DMZ.
PCI DSS Requirement 1.3.2: Limit Inbound Internet Traffic
PCI Requirement 1.3.2 limits inbound Internet traffic to IP addresses within the DMZ and examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. Watch this episode to learn more about PCI DSS Requirement 1.3.2.
PCI DSS Requirement 1.3.3: Implement Anti-Spoofing Measures
PCI DSS Requirement 1.3.3 requires that organizations implement anti-spoofing measures to detect and block forged source IP addresses from entering a network. Watch this episode to learn more about PCI DSS Requirement 1.3.3.
PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic
One of the most important things you can do as an organization to harden your environment, is to limit the outbound traffic from your cardholder data environment (CDE), or from your environment that you might consider sensitive, to the Internet. Watch this episode to learn more about PCI DSS Requirement 1.3.4.
PCI DSS Req 1.3.5: Permit Only Established Connections into the Network
PCI DSS Requirement 1.3.5 says to, “Permit only ‘established’ connections into the network.” Essentially, this requirement ensures that your organization is only allowing established traffic back into your environment. Watch this episode to learn more about PCI DSS Req 1.3.5.
PCI DSS Requirement 1.3.6: Segregate the CDE from the DMZ
To meet PCI Requirement 1.3.6, your organization must not store cardholder data within the DMZ. Watch this episode to learn more about PCI DSS Requirement 1.3.6 and what it means to segregate the CDE from the DMZ.
PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses
What is PCI Requirement 1.3.7? The goal of your organization is to make it as difficult as possible for someone to hack into your environment. Watch this episode to learn more about PCI DSS Requirement 1.3.7 and the importance of protecting your private IP addresses.
PCI DSS Requirement 1.4: Install Personal Firewall Software
PCI Requirement 1.4 states, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network". Watch this episode to learn more about PCI DSS Requirement 1.4.
PCI DSS Requirement 1.5: Ensure Security Policies are Known to all Affected Parties
PCI Requirement 1.5 is not only saying that your organization needs to maintain documented security policies and operational procedures; the policies and procedures needs to be known and in use by all relevant parties. Watch this episode to learn more about PCI DSS Requirement 1.5.
