PCI DSS requires that organizations build and maintain a secure network, including the secure configuration of firewalls and routers. By leveraging network security controls, organizations can prevent criminals from virtually accessing payment system networks and stealing cardholder data.
The network documentation is very important for network maintenance, security design and incident response tasks. The first step to compliance is to ensure that you have met the minimum requirements, which are described below.
Define a formal testing process. The network documentation and information security policy should include a formal testing process for any changes to the firewall and router settings. One way to test changes to the firewall configuration is by performing a detailed port scan of the host(s) protected by the firewall. Another way to test changes to the router configuration is by using the ping and traceroute commands common to most network-capable operating systems.
Attach a current network diagram. The network documentation should include an up-to-date network diagram, which shows all the network connections to the cardholder data. I’d suggest using a proper diagramming tool such as Microsoft Visio that can draw all network devices within the PCI DSS scope, especially those that store or transmit cardholder data. When all relevant network devices are mapped, draw the network connections between them, including any wireless connections. When this is completed, draw connections between them and external networks such as the Internet. Be sure to keep the network diagram up-to-date, and delegate the responsibility for maintaining the network documentation to a qualified staff member.
Attach a cardholder data flow diagram. Identify where on the network cardholder data is stored and how it flows through the network. Make a copy of the network diagram and add information to it to describe the flow of cardholder data.
Add a requirement for a firewall at each Internet connection and DMZ. The network documentation should require a firewall at each Internet connection and between any DMZ and the internal network. This requirement can be satisfied by including a paragraph in the network documentation that states, "A firewall should be installed at each Internet connection and between any DMZ and the internal network." Start by installing firewalls at each Internet connection and between each DMZ and the internal network.
Add descriptions of groups, roles, and responsibilities. The network documentation should include the descriptions and responsibilities of network management roles. Designate network management roles, such as network administrators, systems administrators, and information security officers. Assign responsibilities to each network management role and document their corresponding responsibilities.
Describe all protocols necessary for business. To identify the necessary protocols, it may be helpful to identify the network applications used by the business and include the corresponding protocols and ports used by the applications. A web search engine quickly yields typical ports and protocols used by most network applications. If custom port settings are used, which is a good practice to prevent automated attacks, the custom port settings should be documented.
Identify insecure protocols and explain why they are necessary. The network documentation should include a list of all insecure network protocols and explanations of why each is necessary for business operations. Some common Internet protocols have been proven to be insecure, such as FTP, which sends authentication credentials in plain text. Some email protocols may also send authentication information in clear-text, which is often overlooked because email is such an integral part of many business environments. Verify that each insecure service is necessary and cannot be easily replaced by a secure version, for example by replacing telnet with SSH. If possible, add security measures to each insecure service by using technologies such as VPN, allowlists, or application-specific extensions. Make sure to document each insecure service thoroughly, including the nature of the vulnerability and the implemented mitigation measures.
Explicitly authorize the necessary outgoing connections from the cardholder data environment to the Internet. Make a list of necessary outgoing connections from the cardholder data environment and specify local and remote hosts/ports for each connection (i.e. downloading software updates).
Document the firewall rule-set. Firewalls by nature should block all traffic that is not necessary for business operations. The network documentation should include descriptions and explanations of the restrictions imposed by each firewalls, including any ‘deny’ or ‘deny all’ rules.
Add a requirement to review firewall and router configurations at least every six months. The network documentation should include a requirement to review the firewall and router configurations at least every six months. To make sure the review is actually performed, delegate responsibility for reviewing the router and firewall configurations to a qualified staff member.
