Building the ideal firewall for PCI compliance
November 19, 2014

The Payments Card Industry Data Security Standard has become more important set of rules for card issuers and retailers as security issues become a main focus. After data breaches affected major retailers everywhere, which in turn has caused customers to be greatly concerned about the safety of their consumer data and their credit card details. In order to address this problem, stores should be taking great care to establish their PCI-DSS credentials. That way, the risk of being compromised is greatly mitigated and patrons will find the merchant trustworthy enough to do business. One of way of doing this is to follow one of the first requirements of the standard and develop a strong firewall.

More than just an installation
The very first set of rules in the PCI-DSS concerns building and maintaining a secure network to protect all data. Requirement 1 is that all retailers who wish to be PCI compliant must have a firewall configuration installed on any hardware that connects to the Internet to create a shield for cardholder information. The reason to use a firewall is that it is the primary standard of preventing unwanted access.

There are several sub-requirements that are associated with Requirement 1. The first is that the firewall - which can be either hardware or software – and the router should be configured so that testing can be run whenever there are changes made. This rule also requires that the store identify any connections that lead to cardholder data and use different settings with each implementation to minimize the risk of brute-force attacks. The second stipulation is that the firewall should deny all traffic from "untrusted" sources except when necessary for the cardholder data. The third sub-rule is that store should prohibit any direct access on the Internet to any hardware components that are connected to the card data. Finally, any staff members that need to access the store's network, especially for reviewing sales data, should have firewall software installed as well.

While many of these stipulations require some IT assistance, a key point that the PCI Compliance Guide makes is that simply installing a firewall isn't enough to provide protection. Configuring the hardware and software is a necessity. A basic rule is to establish outbound data rules, since being lax on that front is a primary source of attack from hackers. Two-step authentication when accessing the data can greatly improve security as well. However, the most important thing to consider is Requirement 2, which is to not use system default or easy-to-use passwords in order to access the hardware or the data.

Nexus: G-WEBCD6