Our News

firewall router

With the rise of credit cards and online banking, financial theft has gradually shifted away from physical bank robberies to electronic payment fraud. Although payment cards facilitate convenient financial transactions for society, they also offer an ideal opportunity for attackers to remotely steal a person’s identity or breach a company's information database. While all cybersecurity solutions are important, we want to first dive into how to increase credit card security.

Understanding this high risk, the Payment Card Industry Security Standards Council (PCI SSC) formulated the PCI Data Security Standards (PCI DSS), composed of 12 requirements designed to mitigate customer/company information vulnerability. The first requirement focuses on ensuring a strong firewall configuration. Unfortunately, firewall security is sometimes neglected when companies favor speed over security. However, deploying a strong firewall configuration to protect the Cardholder Data Environment (CDE) is crucial.

PCI DSS Requirements Summary

The PCI DSS guidelines apply to all entities that store, process, or transmit cardholder data and/or sensitive authentication data. If your company handles any credit card data, it likely applies to you. The guidelines span from point-of-sale devices to paper storage systems to remote connections. Below is a quick explanation of each PCI DSS requirement.

1. Firewalls: PCI DSS requires compliant entities to implement firewalls at any internet connection and between any demilitarized zones (DMZs). The PCI SSC defines firewalls as devices that control computer traffic allowed into and out of an organization’s network and into sensitive areas within its internal network. Basically, it is a gatekeeper for inbound and outbound traffic. Requirement one encompasses not only network flow, but also any devices involved in Internet connection, such as routers.

2. Secure PINs and Passwords: Although most devices come with pre-set passwords, it is vital to change them before any device connects to public networks. Pre-set passwords are easily obtained (e.g., device manual) and generally designed for convenient configuration, not security. NIST recommends 16-64 character passwords when possible, using a variety of symbols, numbers, and letters.

3. Protect Cardholder Data: This requirement focuses on how data is stored. According to PCI SSC, the best option for merchants involves avoiding any data storage. If, however, a company has a legitimate need to store card data, the PCI standard permits only the storage of a primary account number (PAN), expiration date, service code, or cardholder name. Additionally, PCI compliance requires that entry devices and application be certified devices.

4. Encryption: Cardholder data must be encrypted while in a transfer, especially over public networks. PCI standards recommend SSL/TLS, SSH or IPSec security protocols.

5. Updates: To mitigate the infiltration of malicious software, PCI standards require companies to actively update all network device software in a timely manner.

6. Assessment Processes: Companies must develop a unique plan for implementing security measures, both physical and technical. Documentation is also a key component, allowing for outside assessment and internal review.

7. Access: Restrict access to the system and any premise storing cardholder data. Only personnel or outside entities classified as need-to-know should have access. Additionally, it is important to periodically review who is categorized as need-to-know. New employees or projects will dictate who still needs access and who does not.

8. Authentication: PCI standards require each individual or entity accessing cardholder data to utilize a unique ID and Personal Identification Number (PIN). This is considered two-factor authentication. If a breach occurs, and detailed logs were kept, the attack point of origin may be easier to identify with such IDs in place. To aid in the process, the PCI SSC outlined PIN Transaction Security (PTS) and Point of Interaction (POI) standards.

9. Restriction: Restricting physical access to facilities, devices, and networks storing cardholder data is vital. Additionally, if a device provides access but does not actually store any cardholder data, it is still beneficial to limit access. The primary goal of this requirement focuses on preventing threat actors from physically obtaining Sensitive Authentication Data (SAD).

10. Monitor: Regularly monitor and fix vulnerabilities. PCI compliance requires closely reviewing logs, system components, and policy adherence.

11. Test: Test old and new software using vulnerability scans, both internally and externally. After passing the first PCI compliance test, entities must then complete external testing scans on a quarterly basis; these external scans can only be conducted by Approved Scanning Vendors (ASV).

12. Policy: Implement a policy for information security controls and procedures and create an incident response plan. Make sure to distribute the security policy and educate employees on how to utilize any related platforms/alert systems.


PCI Compliance Firewall Requirements

Firewall compliance encompasses both technical specifications (requirement 1) and, to some extent, physical access (requirement 9).

From a technical standpoint: PCI SSC recommends formulating standards for firewall and router implementation. This includes a plan for any future updates or reconfiguration. The plan must detail points of connection, technical specifications, and the justification behind the specified security methods. Firewalls must limit inbound network traffic to only necessary traffic (i.e., what the CDE requires for functionality). They must extend across all sectors of an entity including data repositories, public, and private devices.

From a physical standpoint: Even with a strong firewall, companies must limit physical access to the CDE. The PCI DSS details sub-requirements for securing any cardholder data environment and/or device. Inspect card reading devices for tampering, as card skimmers or other devices may have been installed to steal cardholder data. It is also advised to install monitoring devices (e.g., security cameras) and frequently review the logs. Additionally, secure entry points of CDEs by confirming that any individual entering the premises containing cardholder data receives a unique ID (i.e., easier to trace movement). Verify visitors have been granted authorized access (e.g., visitor badge) and keep a visitor log. Lastly, completely dispose of information when it is no longer needed.

If you need help understanding or meeting these requirements, call MCSI for a consultation on your current system. We can help you identify vulnerabilities and address them.