In this blog series we will explain the 12 requirements of PCI DSS, discuss the common challenges and tell you what kind of evidence is needed to comply with the requirements. One of the main requirements of PCI DSS is, without a doubt, the first. It contains a set of high priority requirements that help determine the scope of the different standards.

This requirement focuses on the protection of the cardholder data environment(CDE), where chardholder data is processed, stored and/or transmitted.

 

Let’s explain the main challenges that we must consider:

1) Implement a firewall that can segment the network in three main security areas such as:

        • Internet access
          The communication to or from the internet must be limited to the DMZ (demilitarized zone).
        • Internal network (secure network)
          On this segment, all the devices that store and/or process confidential information are connected to the internal network. It is important to know that they will never communicate to the Internet. These device can only communicate with the DMZ or other secure internal network.
        • DMZ (Demilitarized zone)
          On this network segment, are all the devices located that communicate between the Internet and the internal network.

Obviously, your environment may need additional segments. You can add more segments to your environment that are convenient for keeping your environment secure. It is important that you keep this concept of security as a base.

 

2) Documents to be developed:

            • Network and dataflow diagram, it should be as detailed as possible and should be updated with each change.
            • The network control change process, any change on the network must go through a process that controls and authorizes the change.
            • The rule set review process. The revision of the rules must be done in order to verify all configurations of the device that is part of the scope. It is also important, verify that all changes on the firewall were made through the change control procedure are verified via the network control change process, stated in the previous point.
            • Configuration standard, document the configuration of each of the firewall parameters that verify PCI DSS compliance.
            • The Network policy. This policy guarantees compliancy with all the principles on which PCI DSS is based on to maintain a secure network.

3) Good documentation is not the only thing for compliancy. You have to keep evidence from the actions taken and changes made. Keeping good evidence will make the audit easier, it will show in which type and form the tasks are completed. When developing procedures, it is important to not forget to identify the evidence that must be generated in each step.