PCI Readiness Series: PCI Requirements 1 and 2

by KirkpatrickPrice / April 21st, 2015

Are you a merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data? If so, this is a great place to be introduced to the PCI DSS.

The PCI Security Standards Council is a third-party organization that was developed for the sole purpose of managing the security of cardholder data. Prior to the PCI Security Standards Council, each payment card brand managed their own security standards. Eventually, the payment card brands realized that it was counterproductive to have five different sets of standards that their clients had to audit against, thus, the PCI Security Standards Council and the PCI Data Security Standards were created. The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The founding payment brands for the PCI Security Standards Council include Visa, Inc., MasterCard, Discover Financial, American Express, or JCB International.

If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. The PCI Security Standards Council and payment card brands are major participants in the PCI environment and are responsible for tracking and enforcing PCI DSS compliance, penalties, fees, compliance deadlines, and the monitoring and facilitating of investigations. The other entities that are impacted by the PCI DSS compliance lifecycle are acquiring banks, issuing banks, merchants, service providers, and sub-service providers.

What is Requirement 1?

PCI Requirement 1 states, “Install and maintain a firewall configuration to protect cardholder data.” To comply with PCI Requirement 1, you’ll need to understand several aspects of firewall configuration. We will discuss the follow sub-requirements of PCI Requirement 1:

Requirement 1.3 – Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Requirement 1.4 – Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network, and which are also used to access the network.

Requirement 1.5 – Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.

What is Requirement 2?

PCI Requirement 2 states, “Do no use vendor-supplied defaults for system passwords and other security parameters.” Did you know that vendor-supplied default information, such as account names and passwords, pose a serious threat to your organization’s security? Yes, vendor-supplied defaults might make installation or even support easier, but they also make it pretty simple for hackers to find the information needed to attack and exploit your system. How can we prevent this?Let’s learn together from PCI Requirement 2. This webinar will discuss sub-requirements such as:

Requirement 2.1 – Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

Requirement 2.2 – Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

Requirement 2.3 – Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

Requirement 2.4 – Maintain an inventory of system components that are in scope for PCI DSS.

Requirement 2.5 – Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.

Requirement 2.6 – Sharing hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.