Pci-dss firewall rule review procedure năm 2024

, and other components properly configured, your first line of defense is optimized for card data protection.

2. Initiate strong password protections

Third-party components in your IT infrastructure, such as servers, network devices, point of sale (PoS) systems, applications, access points, etc., must be protected with strong passwords. Avoid using vendor-supplied defaults or generic passwords because they are simple and can be guessed easily.

In fact, many of them are published online, hence why changing them to stronger passwords is a requirement. You must also have a list of the devices and software that require a password or any other security feature in your network.

Plus, you should document your company’s configuration procedures from the time you obtain the third-party product until it enters your IT network. Doing this helps in vulnerability management so that you will take all required security measures each time you introduce a new component to your IT infrastructure.

3. Protect the data of cardholders

The essence of becoming PCI-compliant is to protect cardholder data, and that’s why this third requirement is the most important of all. Companies must know the type of data they want to store, its location, and the retention period.

Knowing the type of data you want to store helps in determining the most secure way to protect it. Encryption can protect all data through industry-accepted algorithms, truncation, or tokenization. Typically, two-layer protection is considered the best, such as using both encryption and tokenization.

You must conduct regular maintenance and scanning to detect any unencrypted primary account numbers (PAN) and ensure that your PCI DSS encryption key management process is strong.

As part of the third requirement, businesses should follow standard security controls when displaying primary account numbers. Ideally, only the first six and last four digits can be displayed.

4. Encrypt data that gets transmitted

When data is transmitted across open, public networks like the Internet, WiFi, and Bluetooth, it must be encrypted. Failure to encrypt data puts it at great risk, as cybercriminals can often access such data.

However, with proper encryption, you can maintain top security for your data at rest and in transit. Also, you should know the destination and source of card data to avoid sending or receiving data from untrusted networks.

5. Install and maintain anti-virus software

Companies must install and maintain anti-virus software to protect against malware that can impact system performance. All systems and devices (e.g., laptops, desktops, mobile devices, workstations, etc.) providing local and remote IT network access should have anti-virus programs installed on them.

These devices are commonly affected by malware which disrupts system functionality and allows unauthorized access to your network. Nonetheless, with an active and up-to-date anti-virus or anti-malware program, you can detect known malware, protect your system from malicious actors, and have more access control.

6. Update your systems and software

The next layer of requirement is the update and maintenance of systems and applications. You should define and implement a process that identifies security risks from anti-virus programs to firewalls.

This process should deploy a reliable third-party source to classify these security risks and send notifications for any newly discovered vulnerabilities in the PCI DSS environment. To ensure effective vulnerability management, you should patch (update) all systems, especially those that store or interact with the cardholder data.

Examples of other systems that should be patched regularly include routers, application software, switches, databases, and POS terminals. Timely patching helps you resolve any vulnerabilities or bugs (errors) in your system before bad actors take advantage of them.

7. Restrict access to data

Access control is a huge criterion when it comes to achieving PCI compliance. Employees should only have access to the data required to fulfill their roles and meet business needs. In other words, access to card data and systems should strictly be on a need-to-know basis.

All staff who do not need cardholder data to execute their roles should be restricted from accessing it to prevent unnecessary exposure of sensitive data. Also, you must have a comprehensive list of all staff who need card data and their roles. Other details to document include:

role definition

current privilege level

expected privilege level

data resources required by each user to execute operations on card data.

8. Establish unique IDs for those with access

After determining users who need access to cardholder data, you’re required to establish unique IDs for each of them. Some organizations use shared/group passwords for staff, which makes it challenging to track certain activities.

Such organizations must switch to having unique IDs for each authorized user to fulfill the eighth requirement for PCI DSS compliance. A two-layer authentication must be implemented for every non-console administrative access (remote access).

Establishing a complex and unique ID for each person with access to card data allows you to trace any unusual activity to their respective users. Thus, every user can take responsibility for their actions and be summoned for accountability or even face the necessary disciplinary actions for their security errors.

If there’s a security threat, unique IDs enable swift response before serious damage is done.

9. Physical access needs to be limited

Physical access to systems with cardholder data must be restricted to prevent data theft, manipulation, or destruction. The systems must be locked in a secure location (in a room, drawer, or cabinet).

You should monitor the entry and exit doors of physical locations like data centers using surveillance cameras or electronic access controls. All physical access to systems with cardholder data must be kept in a log and retained for at least 90 days.

Companies should allow only authorized visitors in the area and keep a document of their activities. Whenever an employee is switching roles or during resignation, all company-related systems with cardholder data or access to your internal network should be retrieved.

Finally, on the restriction of physical access, you must destroy any media or device that’s no longer needed in your system.

10. Establish and maintain access logs

One very common non-compliance challenge is the establishment and maintenance of access logs. Organizations must have a proper record-keeping and documentation process for all activities across their network, including data flow and access frequency.

The collected information about access logs and other activities should be reviewed daily to detect and address any irregular actions. This requirement mandates that the collected information must meet the standard and be taken in real-time to enhance the audit phase.

11. Scan and perform tests to identify vulnerabilities

Hackers understand that every system has a degree of vulnerability, and that’s why they tirelessly try new methods to help them penetrate networks and steal data. However, with frequent vulnerability scans and penetration testing, you can stay on top of cyber threats and keep users’ payment card details safe at all times.

Vulnerability scans can help you discover any possible error in software programs and your entire security system. With penetration testing, you can discover your IT infrastructure’s weaknesses using the same tools and techniques as hackers.

As a result, you will be able to block any loopholes in your physical and wireless networks before cybercriminals detect them.

12. Document your policies

The last requirement for PCI DSS compliance relates to the documentation of information security policies. The policies must be reviewed annually and forwarded to the right persons (such as employees, vendors, etc.) to tackle evolving cyber threats effectively.

Some important information to include during documentation includes your inventory of equipment, the process of information flow and storage, software, employees with access to

What are the requirements for firewall review for PCI DSS?

To protect your business data comprehensively, you must also have other security technologies. Basically, for PCI DSS compliance, firewall logs should be reviewed. The firewall should be updated regularly, security vulnerabilities should be scanned, and firewall rules should be reviewed every six months.

How do you conduct a firewall rule review?

Gather Information Ahead of the Firewall Audit. ... .

Evaluate the Organization's Change Management Approach. ... .

Audit the Operating System and Physical Security of the Firewall. ... .

Take a Hard Look at Firewall Rule Settings. ... .

Perform a Risk Assessment and Address Issues that are Uncovered. ... .

Make a Plan for Conducting Ongoing Audits..

How often should firewall rules be reviewed?

Are Firewalls updated regularly? Firewall Rule Sets and Router Rule Sets should be reviewed every six months to verify Firewall Configuration Standards and Router Configuration Standards.

What is the firewall configuration review process?

Firewall Configuration Review Strategy The review process takes into account the following: A complete review of all the hardware devices associated. Verify if the rules provide the least possible privileges. Review of accounts set up on the firewall and the operating system.