Timeline for PCI DSS 4.0: The First Requirement and Best Practices for Network Security Controls
PCI DSS compliance is verifying that your systems, those that handle personal and cardholder information, meet all the expectations of the 12 requirements of the standard. These requirements describe security and privacy controls to protect against modern threats and vulnerabilities and call for both attention to implementing controls and maintaining long-term best practices.
The best way to understand expectations under PCI DSS is to walk through the requirements and what they say about security. Here, we’ll touch on the first requirement: Install and maintain security controls.
What Is The First Requirement for PCI DSS 4.0?
The first requirement focuses on how the company deployed and maintained its network and system security. Specifically, this requirement refers to network security controls (NSC) and policy enforcement.
Additionally, this approach to security addresses some of the most vulnerable spots in these secure systems, including their connections to unprotected networks and devices.
This requirement focuses on a few key areas:
- Perimeter Security: Organizations are expected to install perimeter security, specifically firewall technology, to control unauthorized internet traffic coming in and out of the system. These can be either hardware or software firewalls so long as they meet the standards set by the PCI Security Standards Council.
- Network Security: Organizations must enforce network policy at all access points to and from the network. These internal networks must also have secure segmentation to isolate different parts of the network.
- Configuration Security: All secure systems must be properly configured to protect against threats, including the use of strong authentication credentials, authorization protocols, and hardening of systems by keeping hardware and software patched and updated.
- Policy and Procedure: Organizations must not deploy security, much less PCI DSS measures to meet Requirement 1, in an ad hoc manner. Policies and procedures must be documented, regularly updated, and available to stakeholders.
All the components of Requirement 1 will fall under one of these specific areas.
What Are the Major Expectations Under Requirement 1?
Since Requirement 1 covers security and maintenance of networks handling cardholder data, it stands to reason that all its components will address the different facets of this goal across management, deployment, and monitoring.
The primary components of PCI DSS 4.0 Requirement 1 are:
1.1 – Processes and mechanisms for Installing and Maintaining Network Security Controls
- Documentation of Policies: Organizations must maintain proper documentation and security policies related to Requirement 1, including updating these policies as needed to address any changes or additions over time.
- Roles and Responsibilities: Including documentation of policies, the organization must also have a clear record of roles and responsibilities related to security and compliance. This ensures accountability and a clear chain of command in changes or emergencies.
- Defined Configuration Standards: Alongside regular policy and personnel documentation, the organization must also have a policy in place describing their standards for managing system configurations related to PCI DSS compliance. This ensures the company does not update or set configurations in an ad hoc manner.
1.2 – Configuring and Maintaining Network Security Controls
- Configuration Management: The organization should have a standard in place for how systems securely communicate with one another, including the use of open ports, secure protocols, authentication and authorization standards, and expected standards for communication between these systems. Additionally, change policies should be in place to control the pace and approach to updating, upgrading, or retiring assets.
- Network Diagrams: Organizations should have up-to-date network diagrams that identify and map network assets, access points, segments, and connections that could serve as a security vulnerability.
- Data Flow Diagrams: Additionally, all organizations should have a data flow diagram to inventory any and all systems and stakeholders interacting with private consumer and cardholder data for security and auditing purposes. This includes processing flows for common operations like processing payments, chargebacks, and storage.
- Resource and Security Approval: Any assets, protocols, or connections should have an identified and approved security and business purposes approved by relevant management as determined by the company roles and responsibilities.
- Review: Companies must review NSCs and configurations at least once every six months to ensure they remain functional and effective.
1.3 – Restrictions for Network Access
- Network Traffic Restriction: Inbound and outbound traffic to Cardholder Data Environments (CDEs) must be restricted no matter where it comes from, and all connections must be inspected.
- Network Security Controls: NSCs must be installed between wireless and wired access points so that only internet traffic from authorized sources is allowed into the CDE.
1.4 – Network Connections for Trust and Untrusted Networks
- Separation of Untrusted Networks: NSCs must be installed and maintained between trusted and untrusted networks, including third-party vendor networks, to restrict incoming and outgoing traffic. This traffic is restricted to communications between authorized systems and protocols, stateful responses for components, and legitimate services.
- Anti-Spoofing Controls: NSCs must include capabilities to block spoofed IP addresses from untrusted or trusted networks.
- Separating Cardholder Data: Systems holding cardholder data must be separated from untrusted networks.
- Limiting Disclosure of IP Addresses: Only authorized parties may be privy to internal IP addresses and routing information.
1.5 – Network Risks for Cardholder Data Environments (CDEs)
- Securing Internal and External Devices: Any device, from employee workstations to mobile devices and employee-owned computers, must only connect to a trusted network through strict security controls before communicating with a CDE. These controls must never be changeable by end users, including the stoppage of such services, and they must be specifically relevant to the system’s needs in question.
Prepare for PCI DSS 4.0 with Lazarus Alliance
Requirement 1 of PCI DSS is only the tip of the compliance iceberg for merchants and payment processors. But it is important–here, the basics for network security, device restriction, and system protection are established. If your business cannot meet these requirements, then it has no business holding cardholder data.
Are You Thinking Ahead for PCI DSS 4.0?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.