In this blog series, we will explain the 12 requirements of PCI DSS, discuss the common challenges and tell you what kind of evidence is needed to comply with the requirements. One of the main requirements of PCI DSS is, without a doubt, the first. It contains a set of high priority requirements that help determine the scope of the different standards.

Cardholder data environment (CDE)

Requirement 1 focuses on the protection of the cardholder data environment (CDE), where cardholder data is processed, stored and/or transmitted. Let’s explain the main challenges that we must consider:

1) Implement a firewall that can segment the network in three main security areas such as:

        • Internet access
          The communication to or from the internet must be limited to the DMZ (demilitarized zone).
        • Internal network (secure network)
          On this segment, all the devices that store and/or process confidential information is connected to the internal network. It is important to know that they will never communicate to the Internet. These devices can only communicate with the DMZ or other secure internal networks.
        • DMZ (Demilitarized zone)
          On this network segment, all the devices that communicate between the Internet and the internal network are located. 

Obviously, your environment may need additional segments. You can add more segments to your environment that are convenient for keeping your environment secure. It is important that you keep this concept of security as a base.

2) Documents to be developed:

            • Network and data flow diagram, it should be as detailed as possible and should be updated with each change.
            • The network control change process, any change on the network must go through a process that controls and authorizes the change.
            • The rule set review process. The revision of the rules must be done in order to verify all configurations of the device that is part of the scope. It is also important, verify that all changes on the firewall were made through the change control procedure are verified via the network control change process, stated in the previous point.
            • Configuration standard, document the configuration of each of the firewall parameters that verify PCI DSS compliance.
            • The Network policy. This policy guarantees compliance with all the principles on which PCI DSS is based on to maintain a secure network.

3) Good documentation is not the only thing for compliance. You have to keep evidence from the actions taken and changes made. Keeping good evidence will make the audit easier, it will show in which type and form the tasks are completed. When developing procedures, it is important to not forget to identify the evidence that must be generated in each step.

Read more about Requirement 2