PCI DSS - Credit Card Security Compliance for your Router
PCI DSS are the regulations, set by the payment card industry (PCI), which apply to any company which processes, accepts or stores payment card data (credit, debit or charge cards). The need for DSS is clear in light of the many high-profile thefts of credit card data from major retailers in recent years together with the exponential growth of e-commerce. Since the introduction of the DSS in 2004, the rules have evolved to reduce the risk from new risks and technology.
How does this apply to my firewall?
In the context of your Internet connectivity and your router/firewalls, DSS imposes specific requirements so it's important that you select a product which can be PCI/DSS compliant. Importantly we say 'can be' because a product itself cannot be universally 'compliant', only its configuration can be. Any product capable of PCI DSS compliance can also be set up in such a way that it is not compliant, so correct configuration and usage is vital.
Who does PCI DSS apply to?
The PCI DSS rules apply to any organisation or person who accepts, stores, works with or processes any payment card data. This includes online web shops, but also any retailer who has computer systems, even if they do not operate or trade online. It also includes online vendors who used 3rd party payment processing; i.e. even if you do not touch customer card data directly.
Precise requirements can vary according to your card merchant provider and your location. Your provider will advise you of their specific requirements. There are three main methods for confirming your compliance with PCI DSS:
- Self Certification. You will go through a questionnaire and confirm that you meet all of the requirements listed.
- Testing by an Approved Scan Vendor (ASV). You subscribe to a testing company who will regularly test your public facing systems for penetration vulnerabilities. The ASV will regularly test and report back to you any failures.
- Assessment by a Qualified Security Assesor (QSA); a third party who will evaluate your systems and identify any lack of compliance.
Which of these three methods will be required will depend on your service provider but also the size of your organisation (by transactions). Currently, if you process less than 1 million transaction p/a, self-certification is permissible in most cases. It's important to note that you are not only required to 'pass' DSS requirements like a one-time exam, but you must do so continuously and on an ongoing basis.
The DSS Requirements for your firewall
- DSS covers a lot more than just your Internet connectivity - it covers all of your systems but, in this overview, we're only summarising the requirements which directly relate to your Internet connection and firewall:
- Install and maintain a firewall on any network which processes card data
- The firewall must only permit services/traffic which is necessary to that Cardholder Data Environment (CDE).
- Document your network fully (with diagrams and inventory) and justify all enabled services.
- Only authorised people may make changes to the firewall configuration; there must be a log of anyone making changes to the firewall configuration (an audit trail).
- Assign a unique user ID (login) to each person with firewall administrator access.
- You should also have an up to date network diagram and document and justify all enabled services (such as VPNs).
- Any wireless networks must be additionally firewalled or separated from the CDE.
- Direct public access to the CDE must be blocked. A DMZ, logically separated from the CDE, must be used for any systems which provide public services.
- Enable anti-spoofing measures to block and detect forged source IP addresses on incoming connections.
- Operate Stateful Packet Inspection (SPI). This allows only established connections to have access into the CDE.
- Disable any features that you do not need to use.
- Use encryption for all firewall administrative access (e.g. SSH, HTTPS, SSL etc.).
- Keep private IP addresses secret. The use of NAT is one way to obfuscate private/internal IP addresses, but block route advertisements (RIP)
- Do not use vendor default passwords for any devices. Change the passwords when installing any product as your first step, including wireless and admin passwords. Passwords should be 'strong' (sufficiently complex).
- Encrypt transmission of cardholder data across open, public networks. The use of VPN with encryption is essential if you need to pass data between secure networks over the public Internet.
Where to get more information
Your main source of information should be your own card service provider; they will advise you of the specific requirements that they apply to your merchant account. More general information is available from the PCI Web Site.
Common Acronyms Relating to PCI DSS
CDE - Cardholder Data Environment
PCI - Payment Card Industry
DSS - Data Security Standard
SSC - Security Standards Council
CDE - Cardholder Data Environment
QSE - Qualified Security Assesor
SAQ - Self-Assessment Questionnaire
ASV - Approved Scan Vendor
PCI DSS is continuously evolving. Your specific requirement and your provider's interpretation may vary. This guide is just a basic overview to introduce the concepts and should not be relied upon to assume or confirm compliance or considered in any way exhaustive of the requirements.