In this blog series we will explain the 12 requirements of PCI DSS, discuss the common challenges and tell you what kind of evidence is needed to comply with the requirement. Our previous blog was about the first requirement. This requirement focuses on the protection of the cardholder data environment (CDE), where the data of the cardholder (CHD) is stored, processed and transmitted.
If you missed this blog and want to know how to protect you cardholder data environment with the help of firewalls and segmentation, what documents you need and how to collect evidence you can click HERE for the blog.
Now that we know (per requirement 1) which hardware and software are involved in the process of transmitting, processing and/or storing cardholder data, we can start with the next requirement.
Requirement 2 describes the best practices for the implementation of security configuration on your systems and the documentation required by PCI DSS.
Let’s explain the main challenges and steps that we must consider:
1) Creating and writing hardening documentation can be described as a difficult task. However, good documentation ensures that the entire IT team follows a set of configurations and knows how to apply this. Assure that these hardening documents are tailored to your system and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to:
These guides are made to make the writing process easier. Use these documents as a guide and verify that the chosen value allows the correct operation of your particular system.
In one of our previous blogpost we gave some tips on how to write good hardening documentation. if you missed this blog you can click HERE for the blog.
2) Include the specific requirements of PCI DSS, review all the requirements of the standard and compare it with your document, even though many of the configuration suggestions are included in the recommendations of the sites mentioned in the previous point.
3) Once the documentation has been written and checked, it is time to test and implement the hardening guide on all devices in the PCI DSS environment.
4) When the previous step has been successful, you can officialise and distribute the documents within your IT team. This way, everyone is aware of the steps that have to be taken and there is a fixed hardening procedure.
5) The last thing to remember is keeping the hardening guide up-to-date. It is recommended to review these guides when you implement a software upgrade and whenever a vulnerability that involves a configuration change.
The documentation is not only part of the compliancy of PCI DSS. They are a big part of the security of the cardholder data and maintaining a secure network. For this reason, it is important to review them regularly and to include new configurations that resolve or prevent the exploitation of vulnerabilities.