Make sure to choose firewalls that support the necessary configuration options to protect critical systems and provide segmentation between the CDE and other internal and external networks specific to your organization.
“Network firewalls are vital for your organization’s security. A firewall’s purpose is to control network traffic into and out of your environment. Simply installing a firewall on your organization’s network perimeter doesn’t make you secure; it must be configured properly.” (SecurityMetrics PCI Guide).
Whether you’re new to PCI DSS or have been using it for several years, you’re likely familiar with the 12 requirements. PCI Requirement 1 concerns setting up and configuring firewalls to protect your business data.
Many businesses think they have firewalls covered once they purchase and install one. However, installing and configuring a firewall to suit their unique security needs involves a lot more.
Not all firewalls are the same. The two main types of firewalls are hardware (perimeter) and software (personal) firewalls, each with pros and cons.
Usually installed at the perimeter of an organization’s network to protect internal systems from the network. They are also used to help separate the CDE from non-CDE systems. These firewalls are generally more expensive and can be difficult to configure properly.
Usually used to protect a single host, such as mobile devices that can move outside the secure environment.
While this type of firewall is easier to maintain and less expensive, it doesn’t protect an entire network and has fewer security options.
To properly secure your payment environment, it's recommended that you use both types, since they cater to different elements of security.
See also: SecurityMetrics PCI Guide
Lack of proper firewall configuration is a big cause of data breaches in many businesses. In the businesses we investigated, 76% of breached businesses didn’t have a properly configured firewall.
You’ll need to set up your firewall rules to determine what goes in and out of your network. Most firewalls come configured to either let all networks in or none in by default. They should be configured to filter both inbound and outbound traffic. If an attacker does get into the system, outbound rules can make it more difficult to export stolen data.
For requirement 1, remember the following:
See also: Firewalls 101: 5 Things You Should Know
Configuring and maintaining your firewall can be technical and time-consuming. Depending on your business environment, you should consider having a managed firewall service. This means you have another company install, configure, and manage your firewall for you. This eliminates a lot of hassle and may save you time and resources.
Remember, you still need to ensure that those managing your firewall follow the PCI DSS standards. Having someone else manage your firewall doesn’t get you off the hook if you are breached.
Here are a few additional things to remember when fulfilling PCI Requirement 1:
However, you should also note that firewalls aren’t your failsafe against data breaches. 83% of businesses breached through unsecured remote access had a firewall. You need to have other security protocols in place to fully protect your business’s data.
Having trouble getting compliant with PCI Requirement 1? Talk to us!