The PCI Security Standards are the documented requirements for any organization which interacts with cardholder data or credit card authorizations. The standards are maintained by an industry organization of all of the major card brands, i.e. American Express, Visa, MasterCard, Discover, JCB. The standards could be defined as “best practices” for securing sensitive cardholder data – the security standards your firm should be at. However, achieving the level of compliance with PCI security standards will likely cost your firm a good deal of money.
This tutorial is the first in a series of PCI tutorials explaining the self assessment questionnaire in great detail. We will review each section, requirement, and individual question.
The PCI self assessment questionnaire (SAQ) is completed by merchants who are not required to have a full on-site audit performed by a qualified security assessor (QSA). The SAQ follows the PCI standard definition and summarizes each point of the standard into a Yes/No question. Completing an SAQ does not make you compliant, but instead you are attesting that you meet the standards as defined. We recommend reading the complete standard so you do not make any assumptions about the questions on the SAQ.
We are reviewing version D of the SAQ which is the full SAQ for any type of merchant who accepts credit cards or deals with sensitive credit card holder or authentication data. This document reviews the first requirement of Build and Maintain a Secure Network, and explains each question so you understand the amount of details and knowledge required to adequately complete the questionnaire.
The PCI standard is confusing and requires individuals who understand both business process, technical implementation, physical and network security, and systems analysis. A QSA often brings in a team of analysts to determine each section for compliance. If you are responsible for PCI compliance in your organization, it is difficult to understand each part of the standard. In this tutorial, we are attempting to explain each section in language you can understand!
Each section of the PCI security standard addresses a requirement. There are 12 requirements, defined into six sections:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
We will be reviewing the first requirement of section 1, Build and Maintain a Secure Network:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Remember: the scope of your assessment is networks, computers, equipment, and people that connect to machines processing or storing credit card data. If you have a retail store and a corporate network, and your corporate network does not connect directly to or store/process credit card data, it could be considered out of scope for the assessment. You would not have to assess the corporate network. If it is not a separate network, it would be considered in scope for the assessment. This is very important for a potential audit – if you believe a network is out of scope but your QSA finds that it is in scope, your cost to come into compliance could go up quite a bit.
Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data
Requirement 1.1: Do established firewall and router configuration standards include the following?
1.1.1 A formal process for approving and testing all external network connections and changes to the firewall and router configurations?
1.1.2 Current network diagrams with all connections to cardholder data, including any wireless networks?
1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone?
1.1.4 Description of groups, roles, and responsibilities for logical management of network components?
1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure?
1.1.6 Requirement to review firewall and router rule sets (at least every six months)?
This requirement is directed at your Information Technology team or at your outsourced provider’s technology team. A big portion of the PCI security standards revolves around configuration and documentation. In this first requirement, the security standard is looking at the configuration of your firewalls and routers.
A router connects two networks together and allows information to flow through networks and through the internet. A firewall inspects the data coming into a network to ensure that it is permitted to be there. For example, a firewall restricts people connecting into your corporate network from the Internet, but can still allow you to visit websites.
In requirement 1.1.1, a formal process must be written for approving and testing all external network connections and changes to the firewall and router configurations. You must write a document which defines this process – it isn’t enough to say “Jim knows how to do it” or “Todd takes care of that” – a formal process must be written down which is then followed to make changes to firewall or router configurations.
Requirement 1.1.2 defines that a current network diagram with all connections to cardholder data be created. This includes physical, hard wired networks and wireless networks. A network diagram is a pictorial representation of the network infrastructure. You must create a network diagram (using a tool such as Visio) and keep it up to date.
At each Internet connection, you must have a firewall installed (requirement 1.1.3). At each side of a DMZ, you must have a firewall installed. As we learned earlier, a firewall protects a network by deciding what connections and packets of information are allowed in and out. Believe it or not, I have worked with clients who did not have a properly configured firewall (in some cases, no firewall at all) at the connection point with the Internet. You must have standard security protection between your network and the Internet. A de-militarized zone (DMZ) is a network between the Internet and your corporate network where servers reside that perform functions requiring Internet access – such as a web server or mail server. It is a separate network to reduce the chance someone from the outside can connect directly to an internal server or PC on your internal network. You must have a firewall on the internal side of the DMZ.
Who manages the network at your company? Who is responsible for maintaining network devices? Who creates and updates the network diagram? Requirement 1.1.4 defines that you must document who is responsible for managing the logical devices in your network. You must write down who is responsible, who their backup is, and what responsibilities they have (we told you this is going to be a lot of documentation!)
Requirement 1.1.5 is also a documentation requirement: you must document each service, protocol, and port required, the business justification, and any security features you implement for insecure protocols. A service or protocol is an opening in your external security and you must document what it’s used for and why it must be open. For example, SMTP is port 25 and is required for email to function properly. SMTP is used to send email from one server to another. There are many insecure protocols and each of these require additional documentation stating how you compensate for the lack of security. For example, your company may have an FTP (file transfer protocol) server accessible externally for vendors to drop files into. FTP is an insecure protocol by default, but you may have implemented sFTP, secure FTP, at your company. Document the security process and protocols used for insecure protocols such as FTP.
Finally, requirement 1.1.6 states you must review your firewall and router rule sets at least every six months. We recommend creating a PCI security policy and documenting that your firewall and router rules must be reviewed every quarter, who performs the review, and who is accountable to ensure the review is complete. Document the review each quarter so if you’re audited, you have record that the firewall was reviewed.
Requirement 1.1 focuses on the documentation of your external security of your corporate network. In the next requirement, we will focus on the implementation of this documented security.
Requirement 1.2: Does the firewall configuration restrict connections between untrusted networks and any system in the cardholder data environment as follows:
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment?
1.2.2 Secure and synchronize router configuration files?
1.2.3 Include installation of perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment?
In requirement 1.2, we are ensuring that the firewall configuration is designed to be least allowed – allowing the least number of ports necessary for business to occur. This does not require you to drop everything, you must justify each port required and implement only those required to do business. An untrusted network is one which your firm does not control, such as the Internet or a partner network.
Requirement 1.2.1 states that you must restrict inbound and outbound traffic. Your firewall rules should only define the ports and services required for your business purposes and drop everything else. You need to restrict both incoming and outgoing traffic to what is least necessary.
In requirement 1.2.2, you must secure your router configuration files. Your router likely has a web based interface – you must ensure that password protection is used to configure any routers or firewalls.
Finally, requirement 1.2.3 addresses security with wireless networks. Unless required, we do not recommend connecting a wireless network with a cardholder data environment. If you do implement a wireless network, it should be configured with a firewall to ensure if it is hacked, the hackers cannot access sensitive cardholder data or authentication.
Requirement 1.3: Does the firewall configuration prohibit direct public access between the Internet and any system component in the cardholder data environment?
1.3.1 Is a DMZ implemented to limit inbound and outbound traffic to only protocols that are necessary for the cardholder environment?
1.3.2 Is inbound Internet traffic limited to IP addresses within the DMZ?
1.3.3 Are direct routes prohibited for inbound or outbound traffic between the Internet and the cardholder data environment?
1.3.4 Are internal addresses prohibited from passing from the Internet into the DMZ?
1.3.5 Is outbound traffic restricted from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ?
1.3.6 Is stateful inspection, also known as dynamic packet filtering, implemented (that is, only established connections are allowed into the network)?
1.3.7 Is the database placed in an internal network zone, segregated from the DMZ?
1.3.8 Has IP-masquerading been implemented to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space?
Use Network address translation (NAT) technologies—for example, port address translation (PAT).
One of the core premises to protecting cardholder data is that if you reduce the potential for bad things to happen, you reduce the likelihood they will. If you prevent direct access between untrusted networks such as the Internet and your cardholder data environment, you will reduce the ability for some unseemly fellow to steal the data.
Requirement 1.3 is requiring your firm to not permit a direct connection between the Internet and a cardholder data environment. You might laugh and think what idiot would permit a direct connection from the Internet to cardholder data? Unfortunately, many companies do it every day with their ecommerce solutions, or a misconfigured DMZ and unprotected server.
In requirement 1.3.1, you must implement a DMZ with limited connections to the Internet and the cardholder data environment. A DMZ, or de-militarized zone, is a separate network from your corporate network which allows certain applications and connections with the Internet. It is not recommended you have any cardholder data in the DMZ, but instead keep the data on the private corporate network.
Inbound traffic from the Internet should be restricted to machines and devices within your DMZ (requirement 1.3.2). Your corporate network should be configured in a way that prevents direct Internet traffic from reaching internal machines, but instead reaches the machines and devices residing in the DMZ. If a hacker has no direct way to access the internal network, he would have no way to hack into the network.
In requirement 1.3.3, we determine whether or not Internet traffic can reach a device within the cardholder environment. There should not be a direct path from a device in the cardholder environment (in or out) and the Internet. A lot of ecommerce configurations fail this requirement as they are directly connected to the Internet.
Some creative hackers might try to fool your configuration by spoofing an internal IP address as a way to connect to your network. Your configuration should drop these connections (requirement 1.3.4) and only allow “publicly routable” addresses into the DMZ from the Internet. In networking, there are public and private routable IP addresses. The most popular subnets of private IP addresses start with 10. such as 10.1.1.1 and 192. such as 192.168.1.100. Your internal network likely uses a 10 or 192 address space, while out on the Internet, there is a wide range of publicly routable IP addresses. Ensure your firewall only routes publicly routable IP addresses.
Requirement 1.3.5 states that machines within the cardholder data environment should only be able to connect to machines or devices in the DMZ and not connect directly to machines on the Internet. You might be thinking but my users require web or mail access! This does not mean they can’t have either or those – what it means is that the machines must connect through something in the DMZ, such as a mail server or web proxy server. The mail server or proxy server connects to the Internet. The distinction is that the cardholder environment should not have a direct connection to machines on the Internet.
When you computer on the corporate network connects to a Web site, it uses your external connection to relay to the Web site. When you establish the connection, there are a lot of things going on – how does the network know that your machine connected to Learnthat.com and not to MyTutorials.com? When it does connect, it is similar to calling someone on a CB radio. You send a message, they reply, and so on. If someone on the CB is calling for someone else, you ignore it. Stateful inspection checks to see that the connection attempt on the other side of your firewall was because you initiated the connection on the internal side. In requirement 1.3.6, we learn that we must use stateful packet inspection (part of what a firewall does) to ensure that connection attempts are desired and correct.
Requirement 1.3.7 requires you to place your cardholder data in a segmented network environment and not in the DMZ. Many firms mistakenly place it in the DMZ due to a lack of technical ability or money to properly setup a DMZ and cardholder data environment. You want the database on your private network as it is the most secure location for it. If it’s in the DMZ with your web server and mail server and a hacker cracks your mail server, he may be able to connect to your database server.
In requirement 1.3.8, we learn that we must use IP masquerading and not use publicly routable IP addresses on your internal network. As we discussed earlier (with the examples of 10.1.1.1 or 192.168.1.100), a private IP address is not routable on the Internet. Using NAT, network addressing, we limit the ability for external machines to connect directly to internal machines.
Requirement 1.4: Has personal firewall software been installed on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network?
This requirement, requirement 1.4, applies to laptops that are in-scope for the assessment. These laptops should be protected with personal firewall software that is properly configured to block external access. This software should be more robust than the built-in Windows firewall and must be configured so that the user is limited in what they can change.
Summary of Requirement 1 of the PCI Security Standards
The first requirement of the PCI security standards is to document and configure your firewalls and routers correctly, including configuration of a DMZ and limiting traffic to your cardholder data environment. The first part of this requirement is to sufficiently document the environment and keep a written record of changes you make. You will find that PCI security requires a lot of documentation and record keeping. Becoming proficient at properly documenting your corporate environment is essential to passing a PCI security audit.
In our next PCI Security Standards requirement tutorial, we’ll explore security requirement 2.