Build and Maintain a Secure Network
In order to build and maintain a secure network, and to comply with the PCI DSS, system components, network components, and data elements related to authorization, data retention, data storage and data transmitting must be secure.
This article gives a high level overview of the PCI DSS and is a brief overview of the audit checklist. Please refer to the PCI DSS documentation and the PCI Security Standards Web site for a detailed breakdown of all requirements.
The scope of PCI DSS for Level 1 merchants includes the following areas:
- Cardholder Data-Primary Account Number, Cardholder Name, Service Code, Expiration Data, Full Magnetic Stripe, CVC2/CVV2/CID, PIN/PIN Block, including any data repository outside of the authorization environment, where more than 50,000 or more account numbers reside.
- System Components-Network components, servers or applications included or connected to cardholder data. Applications include all purchased and proprietary/custom applications, as well as internal and external Internet applications. (External connections into the merchant network like employee remote access, VisaNet and third party access for processing and maintenance).
- Network Components-Firewalls, switches, routers, wireless access points, network appliances and other security appliances. Server types include: Web, database, authentication, mail, proxy, network time protocol (NTP) and domain name server (DNS) (all connections to and from the authorization and settlement environment, such as connections for employee access or for devices such as firewalls and routers).
Point of Sale (POS) Environments
POS needs its own category, because depending on the type of POS environment that exists for a merchant, that type will determine whether it needs to be included in the audit.
If the POS environment is IP-based, along with having external access via the Internet, wireless device, Virtual Private Network (VPN), dial-up connection, broadband connection, or with accessible machines like kiosks to the merchant location, the POS environment is required to be in the scope of the on-site review.
If the POS environment is neither IP-based, nor does it have an external connection or access to the merchant location, then the on-site audit begins at the point of connection into the authorization and settlement environment.
Wireless Environments
According to the PCI DSS, Wireless environments and technologies are the least secure. The technologies are still considered fairly new, and caution is encouraged for any merchant or service provider who is considering using a wireless environment.
The rules, according to version 1.1 of PCI DSS, are as follows:
- If wireless technology is used to store, process or transmit credit card data, Requirements and Testing Procedures for wireless environments apply and are mandatory.
- If a wireless local area network (LAN) is connected to, or is a part of the cardholder environment, Requirements and Testing Procedures for wireless environments apply and are mandatory.
- If a merchant wishes to use wireless technologies or environments, consider using wireless technologies for only non-sensitive data transmission.
Outsourcing and Service Providers
For merchants that outsource storage, processing or transmission of credit card data to third party service providers, separate Report on Compliance documents must explain the role of each service provider.
Conversely, all service providers are responsible for validating their own compliance with the PCI DSS requirements, independent of their customers' audits.
Merchants and service providers must work together, producing a contract to submit to all associated third parties, which states that the third-party service providers will agree to follow the PCI DSS.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
A firewall protects all traffic in and out of an organization's network, and it examines all network traffic, while blocking intrusive or unknown transmissions that do not meet the security criteria.
According to PCI DSS, installing and maintaining a firewall that protects the merchant or service provider from unauthorized access from the Internet by Internet-based access through desktops, employee email accounts and/or e-commerce are key protection mechanisms for any computer network.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf, 1.1-1.5.for more information.
Requirement 2: Don't use vendor-supplied defaults for system passwords and other security parameters
This requirement is pretty self-explanatory, as vendor-supplied defaults for system passwords are easily hacked. In the world of the hacker, it's the first and easiest way to infiltrate a network system.
Though there are many other checkpoints for auditing purposes, the gist of this requirement is to always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).
For wireless environments, the audit includes checking the vendor defaults, the wireless equivalent privacy (WEP) keys; default service set identifier (SSID), passwords and SNMP community strings.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 2.1-2.5 for more information.
 Print this page
 Send this page to a friend
|
Step 1: An Introduction to PCI Compliance
Step 2: Finding The PCI DSS Merchant, Service and Compliance Level
Step 3: Attaining PCI DSS Compliance-Merchant
Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)
Step 5: Completing the PCI DSS Self Questionnaire
|
Sponsored Listing:
|
| |
|
