What is PCI Requirement 1.2.3?

Requirement 1.2.3 requires that organizations, “Install perimeter firewalls between all wireless networks and the Cardholder Data Environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.” So, what exactly does that mean? Requirement 1.2.3 is saying that your organization must install a firewall between any wireless network or device and your CDE. The purpose of Requirement 1.2.3 is to ensure that if an attacker should compromise your wireless network or device, only inbound and outbound protocols, ports, and services that have been previously authorized are allowed. Remember Requirement 1.1.6? That list you’ve made of management-approved protocols, ports, and services? That list that is one of the most important documents? That list that is the basis of many other requirements? You guessed it: you’ll need it again for Requirement 1.2.3. Assessors look to see that your organization is providing as must security as possible to your CDE, especially wherever wireless networks and devices exist.

As an organization, you may not have wireless networks or devices that you’re using to transmit cardholder data. But if you do have wireless networks or devices that have a business justification for access, those areas are most likely in-scope of your PCI DSS assessment.

PCI DSS Requirement 1.2.3

Requirement 1.2.3 requires that we install a firewall between any wireless and device and your cardholder data environment. The purpose for this is that if somebody should somehow compromise your wireless device, we want to make sure that only inbound and outbound ports and services that are authorized are allowed. We want to make sure that we provide as much possible security from all aspects into and out of your cardholder data environment, wherever wireless is being used.

Looking at this requirement, Requirement 1.2.3, it establishes the need to have a firewall there. When we look at that list of authorized protocols, ports, and services that we’ve talked about in Requirement 1.1.6, we’re going to look for the wireless protocols, ports, and services that you’re allowing in and out of the wireless.

As an organization, you may not have wireless that you’re using to transmit cardholder data, and that’s perfectly fine. But if you do have wireless, chances are wireless is in-scope of the assessment. As assessors, we often find that where wireless exists within the environment, your network or administration staff are using their laptops to connect into that environment per management.

What is PCI Requirement 1.2.2?

PCI DSS Requirement 1.2.2 states, “Secure and synchronize router configuration files.” This requirement focuses on enforcing the security and controls surrounding your organization’s firewall and router configurations. Before your PCI DSS assessment, your organization needs to determine, “Are our router and configuration files secured from unauthorized access?”

There is a significant amount of information located within those configuration files; authentication information, certificates, keys, etc. This sensitive information, if fallen into the wrong hands, could lead to a detrimental compromise. Requirement 1.2.2 is so important, and your assessor needs to ensure that wherever your firewall and router configurations are located – offsite or in backups – that these files are maintained securely. Your assessor must also ensure that the configurations within the devices themselves are maintained securely. Ask your organization the following questions:

  • Do you back-up your firewall and router configurations?
  • Where are they kept?
  • How are they kept?
  • Who has access to them?
  • What are the controls around them?

In order to follow Requirement 1.2.2, assessors will also expect you to have reviewed your organization’s configuration standards and examined the files and configurations prior to your PCI DSS assessment.

PCI DSS Requirement 1.2.2

When we look at the actual firewall and router configs, there’s an incredible amount of information in those that lend to being hacked if they fell into the wrong hands. There’s authentication information, there’s certificates, there’s keys, there’s all sorts of good, sensitive information in there that could lend itself into a compromise if it fell into the wrong hands.

We need to make sure that where you have your firewall and router configurations – if you’re storing them offsite, if you’re backing them up – that these particular files are going to be maintained securely. We also want to make sure that the configs within the devices themselves are maintained securely.

So as assessors, we’re going to ask you: Do you back-up your firewall and router configs? If you do, where are they kept? How are they kept? Who has access to them? What are the controls around them? We’re also going to have those same types of conversations about the physical devices and the ability to console into those and gain access to that configuration information.

What is PCI Requirement 1.2.1?

PCI DSS Requirement 1.2.1 focuses around organizations developing policies and procedures that restrict traffic to that which is absolutely necessary, both inbound and outbound, for business purposes. PCI Requirement 1.2.1 states, “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” The goal of PCI Requirement 1.2.1 is to limit traffic to only essential, required protocols, ports, or services and have business justification for those required elements.

As we learned from Requirement 1.1.6, your organization is required to maintain a list of authorized protocols, ports, or services. During your PCI DSS audit, that list is compared against your router and firewall configurations to verify that the documented security features are implemented.  PCI Requirement 1.2.1, though, requires that your organization is only allowed to use protocols, ports, and services that are required for the operation of your business. If you need a protocol, port, or service, then it is absolutely appropriate to use it.

As an assessor, we’re not looking to define your business justification; we’re looking to see that you’ve done your due diligence to decide that a protocol, port, or service is absolutely required for your business operability and know why it’s required. Your organization should be asking: what’s the business justification for that protocol, port, or service? Why are we using that? If it is not required for business, it’s required that you deny that traffic.

PCI DSS Requirement 1.2.1

As an organization, you’re required to maintain the security of the traffic, inbound and outbound. As we said in Requirement 1.1.6, you have to maintain a list of authorized services, protocols, and ports. We need to now look to make sure you’ve actually implemented those. So we take that list of the protocols, ports, and services in your environment that you’ve approved, and we compare that against your actual routers and firewalls and make sure that those lists appropriately match up.

We’ve already talked about Requirement 1.1.6 that says that your organization must maintain a list of authorized protocols, ports, and services. Specific to PCI DSS 1.2.1, it says that your organization is only allowed to use the protocols, ports, and services that are required for the operation of your business. So if you need a protocol, port, or service, that’s absolutely appropriate. Understand, however, that as an assessor, it’s not our role to define your business justification or why you might need a protocol, port, or service. What we’re looking for as an assessor, is that you’ve done your due diligence to say, “Yes, this protocol, port, or service is absolutely required and this is why it’s required.”

So as part of that documentation in 1.1.6, we look to see that the protocols, ports, and services that are authorized are listed. But what’s the business justification for that? Why are you using that? If it’s required, great, fine, we don’t have a problem with that. But we’re looking to see that as an organization, you’ve done your due diligence in making sure that the protocols, ports, and services, the inbound traffic that you’re allowing within your environment, is required of your business. If it is not required for business, it’s required that you as an organization shut that traffic down.

PCI Requirement 1.2 states, “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.” The PCI DSS considers any network that is out of your organization’s ability to control, or external to your organization’s network, as untrustworthy. Assessors will take the data found in PCI Requirement 1.1.6, which is your organization’s authorized ports, protocols, and services, and compare that data to your router and firewall configurations. Assessors are looking to ensure that your organization is only using the authorized ports, protocols, and services defined in Requirement 1.1.6.

It is essential that your organization develops the proper policies and procedures to carry out PCI Requirement 1.2. These policies and procedures must outline how your organization restricts network traffic to that which is required for inbound and outbound traffic. Failure to develop these policies and procedures can lead to a failure to implement PCI Requirement 1.2, potentially leaving your organization susceptible to unauthorized access.

PCI Requirement 1.2

We’re going to talk about Requirement 1.2 now. The primary focus of Requirement 1.2 is that you as an organization develop policies and procedures that restrict your traffic to the absolute necessary that’s required for inbound and outbound traffic. From an assessment perspective, what we do is we take the data that we found in Requirement 1.1.6, which is your authorized ports, services, and protocols, and we pull your router and firewall configs and we compare the two, basically making sure that only the authorized ports and services that management has authorized are actually what’s being used.

What is PCI Requirement 1.1.7?

There are several sub-requirements under the umbrella of Requirement 1. PCI Requirement 1.1.7 states that organizations should “review firewall and router rule sets at least every six months.” This requirement includes verifying that the firewall and router configuration standards and documentation relating to rule set reviews and personnel interviews are reviewed every six months.

Unpacking PCI Requirement 1.1.7

How Does PCI Requirement 1.1.7 Impact PCI Compliance?

It’s not enough for your organization to establish rules for your network regarding inbound and outbound traffic. Why? As time goes on, rules become deprecated and protocols become insecure. Many security frameworks, including PCI DSS, require that your organization has a process to review firewall and router configurations to ensure that they are still secure. This process could be manual or using automated tools, but there must be a process.

Many frameworks do not define what organizations need to do to create a compliant review process, but there are two things that assessors examine. First, assessors look to see that your organization is reviewing your environment regularly. If you’re being assessed against the PCI DSS standards, assessors look to see that you’re doing this at least every six months. This means you must also maintain some type of evidence that the review process has occurred. Second, assessors are looking to see that your organization has spent time ensuring that the inbound traffic rules are still appropriate and secure. If for some reason the protocol has become insecure, you must document what you’re doing to make it secure. You’re required to implement specific controls that will render that protocol as secure.

Have questions on how you can comply with the PCI DSS Requirements? Contact us today. 

More PCI Resources

PCI Demystified Video Series 

Beginner’s Guide to PCI Compliance 

When Will You See the Benefit of an Audit? 

Requirement 1.1.7

As an organization, you establish these rules for your network to allow traffic inbound and outbound. But, you need to understand that as time goes on, rules become deprecated and protocols become insecure. Many of the security frameworks, including that of the PCI DSS, require that you as an organization have a process where you’re manually or using automated tools to review these firewall and router configs to ensure that they’re still secure.

While the PCI DSS or these other frameworks don’t necessarily define for you what you need to do as part of that rule, we like to spend some time, as an assessor, discussing what we’re looking for. We look to see, first of all, that you’re doing this periodically. If you’re being assessed against the PCI DSS standards, we look to see that you’re doing this at least every 6 months. So, you need to maintain some artifact that this has actually occurred. What we’re looking for, in terms of the assessment of these firewalls and routers, is looking to make sure that you’ve spent the time ensuring that these protocols, ports, and services, inbound and outbound, are still appropriate and they’re still secure.

If for some reason the protocol has become insecure, you need to document the means and methods for what you’re doing to make sure that it is secure. You’re required to implement specific controls that will render that particular protocol as secure.