PCI firewall basics – all you need to know
Date published: 17 Jun 2020
For organizations looking to keep cardholder data safe, Payment Card Industry Data Security Standard (PCI DSS) compliance should be of the utmost priority. The PCI Data Security Standards evolve in line with changing consumer behaviors and businesses must adapt accordingly. The first requirement of PCI DSS is to ‘install and maintain a firewall configuration to protect cardholder data’. For those trying to get to grips with this, there are multiple considerations to take into account. Therefore, we wanted to share our tips and all you need to know in order to get started on your compliance journey.
What is a firewall?
In basic terms, a firewall sits between your payment card system and the internet with the ultimate goal of filtering out potentially harmful traffic which could compromise your customers’ confidential data. Essentially, firewalls control all the traffic in and out of an organization’s network and will need to be regularly maintained to adhere to compliance standards. As maintaining secure firewalls is critical, to protect your data and your network, regular audits should be undertaken to check the security posture of each firewall.
What are the common security issues?
• Improper firewall configuration - Many organizations think that once a firewall is implemented, the hard work has been done. However, it’s imperative to remember that simply having a firewall does not automatically increase protection or make you PCI DSS compliant on implementation. Firewalls need to be configured to your business needs if they are to perform to their full capabilities. If not configured correctly/securely, your network has a vulnerability that will allow hackers to access and steal your customer’s sensitive data.
• Zero or not enough testing of firewall rules - PCI DSS requires organizations to review their firewall and router rules at least twice a year (every six months). That’s because things change over time and this can compromise the effectiveness of your firewall security rules. The best ways to test effectiveness is through vulnerability audits or penetration tests to provide better insight into your network.
• Lack of log management – It seems counterintuitive to log any firewall-specific issues that come out of an audit without having a process for keeping track of this and notifying the correct teams when there is a potential problem in your network. By ignoring notifications, vulnerabilities can be missed, leaving your organization open to a cyber-attack.
• Lack of network segmentation – Leading organizations use their firewalls (if they are PCI compliant) to separate card environments from their wider network. Although this isn’t a specific PCI requirement, it can help your teams keep your networks better secured, whilst more efficiently supporting your compliance goals.
Where should you start?
As mentioned above, firewall configuration requirements, including PCI Security Standards Council’s minimum suggested configurations, can act as an initial ‘checklist’ and a strong starting point on your journey towards compliance.
These include actions to:
• Change the original password provided by the vendor
• Restrict both inbound and outbound traffic to your payment systems
• Avoid the use of ‘any’ in firewall allow rules
• ‘Deny all’ traffic that you don’t specifically authorize
• Turn on intrusion detection and blocking
• Turn on notifications
• Turn off Network Address Translation to hide your internal addresses from the internet
• Check for and install updates as soon as they become available
• Permit only ‘established’ connections into your network
What’s the answer?
Although the checklist above is a beneficial starting point, to delve deeper, you should review your organization’s specific requirements, overall cyber hygiene and the ‘rules’ needed to enhance your network security. As such, the key to compliance is continuous testing and ongoing monitoring of rules with vulnerability audits and Pentests, remediating issues as they are found to ensure cardholder data is protected at all times. It’s best practice to keep up-to-date documentation for all firewall policies and procedures, including business justification for each port or protocol allowed through. Additionally, network resources and cardholder data access need to be logged and reported, with frequent security and processes tests.
The number of data breaches is on the rise and has increased by 54% in the first six months of 2019 compared to the same period in the previous year, with addresses, credit card and social security numbers stolen in 11% of attacks. Finding ways to free up your team’s time to remediate issues and mitigate your risk - rather than just identifying and diagnosing network vulnerabilities - is key to staying secure. Not all security checks have to be completed manually; automation tools can support you in your security mission, shifting your organizational strategy from compliance-based to a proactive security-first approach that assures compliance with risk management frameworks like PCI DSS.
How can Titania Nipper help?
Trusted by ISAs and QSAs around the world, Titania Nipper automates six of the 12 PCI DSS compliance check processes, enabling teams to focus on more strategic issues whilst efficiently achieving PCI DSS compliance. Using Nipper to complete a PCI DSS audit of automatable checks saves an average of three hours per device and helps reduce the mean time to remediate issues because Nipper reports also provide the exact technical fixes required to fix any issues identified.
Nipper helps merchants achieve six core principles by demonstrating they:
• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
To install and maintain a firewall which meets PCI requirements, it’s critical to establish and address basic cyber hygiene principles, including the PCI Security Standards Council’s recommendations, before moving onto wider issues. This will include the creation of configurations tailored to your organization’s specific needs. However, once set up, many of the checks needed to maintain a secure firewall can be automated with the right tools like Titania Nipper, saving you time and resources, reducing your team’s alert fatigue as well as mitigating your risk of non-compliance and security breaches.
Do you have an upcoming PCI DSS audit? Speak to our team today to find out how we can support>>>