Regulatory Compliance, Governance and Security

Feb 21 2009   12:57PM GMT

PCI Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data | What You Need to Know



Posted by: Charles Denyer
Tags:
cisco
firewalls
juniper
load balancers
payment card industry data security standards (PCI DSS)
PCI DSS
pci dss v1.2
PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data
qualified security assessor (QSA)
routers
rulesets

For Payment Card Industry (PCI) compliance, there are twelve (12) core, functional requirements mandated under PCI DSS v1.2. What’s important to note is that many times you truly need to “read between the lines” to interpret, comprehend, and understand what the PCI DSS standards are actually stating, and asking you to validate.

Take PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data. If you read all the requirements and the tests that accompany each requirement, it seems to sound quite straight forward. Well it is and it isn’t. The “isn’t” part lies in the ability to interpret some testing that really has not been spelled out for you. For example, throughout requirement #1 it tells you to “examine” and “verify” a whole host of configuration settings for network devices, particularly firewalls and routers. So how should you interpret “examine” and “verify”. As a Qualified Security Assessor (QSA) for PCI, I can tell you that just simply asking for the rulesets and configuration documents is simply not enough. You have to actually examine, interpret, read, and dissect the rules and configurations settings, match them against the test criteria, along with using the network topology documents (that should be developed) as further evidence. In short, simply printing out rulesets, throwing them in a folder as audit evidence and moving on to the next phase of the PCI is not going to cut it. If you want to brush on truly understanding rulesets and the configuration of network devices (routers, firewalls, load balancers, etc.), CISCO and JUNIPER and other network device providers have a host of free information on the internet.

To learn more about PCI DSS compliance and Requirement 1 and other areas of the PCI DSS v.1.2 standard, then visit PCIassessment.org.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: