Take PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data. If you read all the requirements and the tests that accompany each requirement, it seems to sound quite straight forward. Well it is and it isn’t. The “isn’t” part lies in the ability to interpret some testing that really has not been spelled out for you. For example, throughout requirement #1 it tells you to “examine” and “verify” a whole host of configuration settings for network devices, particularly firewalls and routers. So how should you interpret “examine” and “verify”. As a Qualified Security Assessor (QSA) for PCI, I can tell you that just simply asking for the rulesets and configuration documents is simply not enough. You have to actually examine, interpret, read, and dissect the rules and configurations settings, match them against the test criteria, along with using the network topology documents (that should be developed) as further evidence. In short, simply printing out rulesets, throwing them in a folder as audit evidence and moving on to the next phase of the PCI is not going to cut it. If you want to brush on truly understanding rulesets and the configuration of network devices (routers, firewalls, load balancers, etc.), CISCO and JUNIPER and other network device providers have a host of free information on the internet.

To learn more about PCI DSS compliance and Requirement 1 and other areas of the PCI DSS v.1.2 standard, then visit PCIassessment.org.

Before you jump off a bridge because of the costs and time involved with PCI compliance, take a deep breath and look at it in a practical manner. The PCI security standards, official known as the Payment Card Industry Data Security Standards (PCI DSS v1.2) illustrates exactly what needs to be accomplished and validated for PCI compliance, if you have to have an onsite PCI assessment. If you don’t and you can essentially “self assess”, then you can simply obtain the “self assessment” questionnaires.

So how do you know if you need an onsite PCI assessment done by a QSA or a “self assessment questionnaire”? Well, find your transaction volume for processing credit cards, and that will give you the answer.

Once you’ve don that, you will be on your way to clearly understanding what needs to be done for purposes of PCI compliance.

To learn more about PCI compliance, the onsite PCI assessments and the different PCI “self assessment questionnaires” contact me directly and i will assist you in any way i can.