This is Part 1 of our Demystifying PCI DSS Compliance series.
The PCI DSS Guide outlines 12 Requirements that any business which processes credit cards, must adhere to. The first two PCI DSS Requirements fall under the grouping Build and Maintain a Secure Network:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Hardware router/firewall in-place
- Outline router config. information
- Network diagram (also show card data flow)
- Document and justify any open ports
- Strict firewall – e.g. SPI
- No public access – e.g. no in-store WiFi
- Do not disclose internal IP addresses, network setup, security measures, etc. to anyone
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- All vendor-default passwords must be changed/disabled – e.g. routers, software, etc.
- Implement only one function for a server – e.g. database server.
- Prune system of all unnecessary software and services.
- Configure security parameters to prevent changes/misuse – e.g. restricted User accounts, password protect applications, etc.
- Document which programs and services are enabled and in-use
- Any non-console admin access (i.e. remote access) should be encrypted (e.g. TeamViewer or LogMeIn, not RDP or VNC)
- No cardholder data should enter a shared hosting environment and any portion of shared hosting involved in cardholder data should be reviewed for PCI-DSS
This first set of requirements attempts to establish a basic set of security measures, from a firewall, to changing/disabling vendor-default passwords. Make sure you have a physical, hardware firewall in-place. Create a diagram of your network so you can clearly see every device and the routes between each device.
Be sure to configure your systems in such a way that users cannot modify settings. Also, do not discuss your network setup, logins, and security measures with anyone.
The PCI DSS also recommends only implementing one ‘role’ per server – e.g. MS SQL Server – as well as to run a clean system, free of unnecessary software – i.e. a clean installation of the operating system. Be sure to document each program that is installed and be able to justify its use.
Another important item, is to ensure that any remote connections to the server are encrypted.
And finally, if you (or your vendor) utilize shared hosting, no cardholder data can be stored on that server.