This is Part 1 of our Demystifying PCI DSS Compliance series.
The PCI DSS Guide outlines 12 Requirements that any business which processes credit cards, must adhere to. The first two PCI DSS Requirements fall under the grouping Build and Maintain a Secure Network:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Hardware router/firewall in-place
- Outline router config. information
- Network diagram (also show card data flow)
- Document and justify any open ports
- Strict firewall – e.g. SPI
- No public access – e.g. no in-store WiFi
- Do not disclose internal IP addresses, network setup, security measures, etc. to anyone
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- All vendor-default passwords must be changed/disabled – e.g. routers, software, etc.
- Implement only one function for a server – e.g. database server.
- Prune system of all unnecessary software and services.
- Configure security parameters to prevent changes/misuse – e.g. restricted User accounts, password protect applications, etc.
- Document which programs and services are enabled and in-use
- Any non-console admin access (i.e. remote access) should be encrypted (e.g. TeamViewer or LogMeIn, not RDP or VNC)
- No cardholder data should enter a shared hosting environment and any portion of shared hosting involved in cardholder data should be reviewed for PCI-DSS
This first set of requirements attempts to establish a basic set of security measures, from a firewall, to changing/disabling vendor-default passwords. Make sure you have a physical, hardware firewall in-place. Create a diagram of your network so you can clearly see every device and the routes between each device.
Be sure to configure your systems in such a way that users cannot modify settings. Also, do not discuss your network setup, logins, and security measures with anyone.
The PCI DSS also recommends only implementing one ‘role’ per server – e.g. MS SQL Server – as well as to run a clean system, free of unnecessary software – i.e. a clean installation of the operating system. Be sure to document each program that is installed and be able to justify its use.
Another important item, is to ensure that any remote connections to the server are encrypted.
And finally, if you (or your vendor) utilize shared hosting, no cardholder data can be stored on that server.
Dean
I am a Software Developer, System Administrator, and consignment software specialist. I currently manage hundreds of consignment workstations, point of sale systems, and database servers all across North America and I am the developer of Peeps' Software, Peeps2Go, and Peeps' Consignor Login for iOS and Android. I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. Peeps' Software launched in 2016 and is now on hundreds of systems all across North America. I have successfully converted dozens of stores from all of the major consignment software systems. After 20 years of working with consignment stores, I understand the unique challenges consignment & resale store-owners face. From electrical issues in old buildings or strip malls, to advocating for them when their old consignment software keeps crashing.