Requirement 1: Establish Secure Firewall Rules

Make sure to choose firewalls that support the necessary configuration options to protect critical systems and provide segmentation between the CDE and other internal and external networks specific to your organization.

Auditor Tips
Requirement 1: Establish Secure Firewall Rules

How to Comply with PCI Requirement 1: Manage Your Firewall

“Network firewalls are vital for your organization’s security. A firewall’s purpose is to control network traffic into and out of your environment. Simply installing a firewall on your organization’s network perimeter doesn’t make you secure; it must be configured properly.” (SecurityMetrics PCI Guide). 

Manage Your Firewall

Whether you’re new to PCI DSS or have been using it for several years, you’re likely familiar with the 12 requirements. PCI Requirement 1 concerns setting up and configuring firewalls to protect your business data.

Many businesses think they have firewalls covered once they purchase and install one. However, installing and configuring a firewall to suit their unique security needs involves a lot more.

Not all firewalls are the same. The two main types of firewalls are hardware (perimeter) and software (personal) firewalls, each with pros and cons. 

Perimeter firewall: 

Usually installed at the perimeter of an organization’s network to protect internal systems from the network. They are also used to help separate the CDE from non-CDE systems. These firewalls are generally more expensive and can be difficult to configure properly.

Personal firewall: 

Usually used to protect a single host, such as mobile devices that can move outside the secure environment. 

While this type of firewall is easier to maintain and less expensive, it doesn’t protect an entire network and has fewer security options.

To properly secure your payment environment, it's recommended that you use both types, since they cater to different elements of security.

See also: SecurityMetrics PCI Guide

Configure your firewall properly

Lack of proper firewall configuration is a big cause of data breaches in many businesses. In the businesses we investigated, 76% of breached businesses didn’t have a properly configured firewall.

You’ll need to set up your firewall rules to determine what goes in and out of your network. Most firewalls come configured to either let all networks in or none in by default. They should be configured to filter both inbound and outbound traffic. If an attacker does get into the system, outbound rules can make it more difficult to export stolen data.

For requirement 1, remember the following:

  • Start with a “block everything” mentality, only opening up what is necessary.
  • Pay attention to what logs tell you.
  • Review firewall configurations frequently and adjust as necessary.

See also: Firewalls 101: 5 Things You Should Know

Consider managed firewall services

Configuring and maintaining your firewall can be technical and time-consuming. Depending on your business environment, you should consider having a managed firewall service. This means you have another company install, configure, and manage your firewall for you. This eliminates a lot of hassle and may save you time and resources.

Remember, you still need to ensure that those managing your firewall follow the PCI DSS standards. Having someone else manage your firewall doesn’t get you off the hook if you are breached.

Tips for how to comply with PCI requirement 1

Here are a few additional things to remember when fulfilling PCI Requirement 1:

  • Pay attention to and review firewall logs: If your firewall is picking up that someone tried to log into your network 200 times last night, you need to be aware of that.
  • Review configuration rules regularly: business environments change, and your firewall rules should also change.
  • Have help in setting up and configuring firewalls: Firewalls can be a bit technical, so it’s a good idea to have a third party set them up properly.
  • Remember, firewalls are your first line of defense. Make sure they are ready to handle attacks that may come your way.

However, you should also note that firewalls aren’t your failsafe against data breaches. 83% of businesses breached through unsecured remote access had a firewall. You need to have other security protocols in place to fully protect your business’s data.

‍Having trouble getting compliant with PCI Requirement 1? Talk to us!

Join thousands of security professionals.
Subscribe Now
Get the Guide To PCI Compliance
Download
Get Quote for PCI Compliance
Request a Quote