Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls are computer devices that control computer traffic allowed into a company’s network from outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether via e-commerce, employee Internet access, email traffic, or other pathways. Often, seemingly insignificant paths to and from the Internet can provide unprotected access into key systems. Firewalls are a key protection mechanism for any computer network.
The following table lists the specific sub-requirements in Requirement 1 that are addressed by TIBCO LogLogic® Compliance Suite - PCI Edition.
| Requirement 1 | Install and maintain a firewall configuration to protect Cardholder data |
|---|---|
| 1.1.1 | A formal process for approving and testing all external network connections and changes to the firewall configuration |
| 1.1.5 | Documented list of services and ports necessary for business |
| 1.1.6 | Justification and documentation for any available protocols besides HTTP and SSL, SSH, and VPN
(Update: v3.0 November 2013) |
| 1.1.7 | Justification and documentation for any risky protocols allowed (FTP, etc.), which includes reason for use of protocol and security features implemented |
| 1.1.8 | Quarterly review of firewall and router rule sets |
| 1.1.9 | Configuration standards for routers |
| 1.2 | Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment |
| 1.3.1 | Restricting inbound Internet traffic to IP addresses within the DMZ (ingress filters) |
| 1.3.2 | Not allowing internal addresses to pass from the Internet into the DMZ |
| 1.3.5 | Restricting inbound and outbound traffic to that which is necessary for the cardholder data |
| 1.5 | Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
(Update: v3.0 August 2013) |
Copyright © Cloud Software Group, Inc. All rights reserved.