Why Does a Small Business Need a PCI-Compliant Firewall?

August 31, 2020 • Published Categories PCI 101 Tags

You’ve just been informed that your small business needs a firewall for PCI compliance. If you have no idea what that is and why your small business would even need a PCI-compliant firewall, then you’ve come to the right place.

What is a PCI-Compliant Firewall?

In most merchant point-of-sale environments, the firewall is a hardware device that you connect to your IT network. The firewall serves as an important security tool, blocking bad or malicious internet traffic while appropriately routing other traffic so that your IT network operates optimally.

For PCI compliance, the firewall must be able to segment secure payment processing parts of your network from less secure parts (think back office or visitor accessible networks). It can also allow your customers to access web servers of other publicly available services while protecting your secure internal networks.

A PCI-compliant firewall, then, has been configured for a payment card acceptance setting. That means the only network traffic allowed is documented and supported by a business need. And, like servers, workstations and other components of the cardholder data environment, your firewall needs periodic security reviews and software patching. Be sure to document any changes to the firewall configuration in accordance with your company’s change management procedures.

How Do You Get Started?

The process for implementing and maintaining a PCI-compliant firewall for your business includes these essential steps:

  • Select a reputable vendor in accordance with your Service Provider policy to assist in the installation of the firewall. If you are already working with an IT service provider, confirm that the provider understands PCI compliance and its application to firewalls.
  • Select (with the help of your IT provider) a state-of-the-art, name brand firewall.
  • Confirm that the device is located in a place that is physically secured, like an access-controlled server room or equipment closet.
  • Confirm that logical access (ability to log on and perform administrative tasks) to the device is restricted to those with a job role that justifies having access to network equipment.
  • Confirm that vendor supplied accounts (IDs and passwords provided by the firewall vendor for initial access) have been removed from the device.
  • Confirm that the firewall has been configured to permit only that network traffic required to run the business. All other traffic should be disallowed to ensure that the risk of unauthorized access to your network and business assets is reduced to the lowest level possible.
  • If the firewall chosen provides Intrusion Detection features or other security features, confirm that you and/or your IT provider get notification of any security events such as attempted access by hackers.
  • After implementation, consider having a third-party security service provider run a penetration test against your firewall from the Internet to provide assurance that the device is configured and operating as intended.
  • Work with your IT provider to ensure that periodic reviews of the firewall configuration are being performed. Confirm that vendor patches to firewall software are being applied on a regular basis.

I hope you’ve found this post helpful on your journey to PCI compliance. Have additional questions? Just give ControlScan a call at 800-825-3301, ext. 2. We’re happy to help.