PCI DSS Requirements Pt. 1 | Build and Maintain a Secure Network

Secure Network

This is Part 1 of our Demystifying PCI DSS Compliance series.

The PCI DSS Guide outlines 12 Requirements that any business which processes credit cards, must adhere to.  The first two PCI DSS Requirements fall under the grouping Build and Maintain a Secure Network:

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

  • Hardware router/firewall in-place
  • Outline router config. information
  • Network diagram (also show card data flow)
  • Document and justify any open ports
  • Strict firewall – e.g. SPI
  • No public access – e.g. no in-store WiFi
  • Do not disclose internal IP addresses, network setup, security measures, etc. to anyone

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

  • All vendor-default passwords must be changed/disabled – e.g. routers, software, etc.
  • Implement only one function for a server – e.g. database server.
  • Prune system of all unnecessary software and services.
  • Configure security parameters to prevent changes/misuse – e.g. restricted User accounts, password protect applications, etc.
  • Document which programs and services are enabled and in-use
  • Any non-console admin access (i.e. remote access) should be encrypted (e.g. TeamViewer or LogMeIn, not RDP or VNC)
  • No cardholder data should enter a shared hosting environment and any portion of shared hosting involved in cardholder data should be reviewed for PCI-DSS

This first set of requirements attempts to establish a basic set of security measures, from a firewall, to changing/disabling vendor-default passwords.  Make sure you have a physical, hardware firewall in-place.  Create a diagram of your network so you can clearly see every device and the routes between each device.

Be sure to configure your systems in such a way that users cannot modify settings.  Also, do not discuss your network setup, logins, and security measures with anyone.

The PCI DSS also recommends only implementing one ‘role’ per server – e.g. MS SQL Server – as well as to run a clean system, free of unnecessary software – i.e. a clean installation of the operating system.  Be sure to document each program that is installed and be able to justify its use.

Another important item, is to ensure that any remote connections to the server are encrypted.

And finally, if you (or your vendor) utilize shared hosting, no cardholder data can be stored on that server.

I am a consignment software specialist, System Administrator for hundreds of consignment workstations across North America, and developer of Peeps' Software! I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. After 17+ years of working with consignment stores, I understand the unique challenges consignment & resale store-owners face. From electrical issues in old building or strip malls, to advocating for them when their consignment software keeps crashing. I now manage over 600 computer systems, servers & websites for store-owners all across North America and I am the developer/programmer of Peeps' Software -- the only software written FOR consignment & resale stores specifically.

Leave a Comment

Your email address will not be published. Required fields are marked *


Back To Top