PCI compliance requirement 1: Firewalls

Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 1: "Install and maintain a firewall configuration to protect cardholder data." PCI compliance requirement 1 calls for:

  • "Stateful inspection" devices separating the Internet from the cardholder environment
  • Documented procedures supporting how the firewalls are deployed and maintained

The compliance pros review common PCI questions, including "Is a firewall needed for every store?" and "How should routers be implemented?"

Watch the rest of the PCI compliance videos, as Diana and Ed continue their advice requirement by requirement.


Editor's note: This video is based on PCI DSS version 1.1. For updated information on the changes in PCI DSS version 1.2, see the following:

  • Version 1.2 of PCI DSS answers questions, raises others
  • PCI version 1.2 clarifications: How to get an early start on compliance audits

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact [email protected]   

PCI compliance requirement 1: Firewalls

Ed Moyle: I'm Ed Moyle, and I am a QSA or a qualified security assessor and this is...

Diana Kelley: I'm Diana Kelley and I'm a partner at Security Curve. So we've
also got sort of a method to our madness here in that we're going to discuss
the requirement and the gotchas on one slide and then next we're going to give
you some real quick hit tips on best ways to actually accomplish compliance and
do your pre-assessment and get ready for the actual assessment itself.

All right, so under requirement one which is essentially firewall and we all feel
like I know what that means, you know install and maintain a firewall but if you
look at the sub-requirements under one, they say specifically it has to be
‘stateful’ inspection  firewall. So if you're looking at a standard router with Apple
although you can do some firewall tasks with it such as port blocking or source
destination, access control decisions, it's not, most routers aren't stateful inspections.  
You need to have something that stateful inspection in order for it to counted as a firewall.   
Some of the questions that I hear pretty commonly are, do we need a firewall everywhere?

Ed Moyle: Yes, that's a very common one. Really, from the stand point of at
every retail location common sense would say, no, you don't need a firewall
there and that's going to be the answer in 99% of the cases but there are cases
where you would.  There are some retail locations that are using the internet to
conduct operations and do authorizations and so on with that back end, so in
that case you might want to consider looking at a firewall.   It's going to depend
of your particular case, but generally speaking the answer is going to be no.  

Diana Kelley: What's your stance on, say you've got point of sale, but you don't
have actual systems networking off of that, that remote site. How about host
based firewall for the point of sale systems or you've got a payment application
that's best practices or PADF that's approved point of sale not necessary?

Ed Moyle: I mean definitely, some of the particular nuances of point of sale systems
and so on might be covered under other requirement but this particular requirement
is mostly geared at the internet, so the actual internet entry way to your card holder
environment.  So from a technical standpoint, you know if you have a number of stores
and so on and you have point of sales systems that are geographically distributed
or that might use, folks are probably familiar with the kind that you swipe your card
and it dials back to your acquirer.  While those are technically in the scope because
they store process or transmit credit card data which is the requirement the actual
scope of that, in that retail location is pretty small.  

So no you don't need a firewall there if it's not IP connected to the internet definitely
I would say 99.9% of the cases unless there's something that is very much unique to
you in your organization how you're using these things the answer would be no but
in the case is you're using the internet over DSL or something, then yes, and one
way to do this would be with a personal firewall or with that kind of equipment.  If you're
going to go down that route though, I would recommend that you read through the
specifics of the requirement one and make sure that doesn't affect the ply-in and that
you're following the rules.

Diana Kelley: Absolutely in this instance you may need one at every store,
you may not.  Take a look at how you architect it.  

Ed Moyle: But most likely you don’t.

Diana Kelley Now one thing you absolutely need unqualified. You need to
document the fact that you have firewalls.  So you have to have on paper
written documentation about what firewalls you have and the controls around
those firewalls processes and procedures, what the configurations are, who
has change management control to put a new rule on the firewall, things like that.
If it's not written down assessors like Ed don't take it as actually being there in some way.

Ed Moyle: I would say if it's listed under the gotchas on the slide, but the number
one thing that we find in an actual assessment related to this requirement is lack
of appropriate documentation.  That can be lack of configuration documents like you
talked about. It can be lack of documentation of who has authority to approve rules
and what the processes for rule review and so on and this particular requirement more
so than a lot of the others have a heavy documentation burden.  So really take a look
through what you're required to have. Maybe make a list of what the specific documents
are that are required for a QSA to look at in the audit procedures and make sure that you
have them.  I would say that if you're going to offer documentation for the purposes of meeting
this requirement try not to get creative. Like if it requires that you have three different types
of documentation don't try to like combine them all into one. Just create what documentation
that is required.

Diana Kelley: So the quick kit for the fire walls. You're want to have network
diagrams to show where the firewalls are.  Make sure it's accurate. You want to
have a list of what's allowed in and out that includes the services and the ports
and the protocols, so what you're blocking in and out and using those firewalls
and what's allowed.  If you don't need Telnet don't have that. If you have Telnet
explain why you have Telnet, and why it's for business reasons.  Document the
configuration, but document all the related rules and processes around the firewall.  
Also make sure that you go through and look and check that what you believe are the
rules that you have set on the firewalls are in fact the rules that are on there.  So a quarterly
review and then print that out and keep that as a report as well.  

Ed Moyle: If the number one problem we see in the field is lack of documentation,
then the number two is related to the review of rules.  This is understandably a challenging
thing to do, it does take some time but it is specifically required that you do a quarterly review
of your firewall rules.  So do it, and document the fact that you're doing it and keep
records, because your QSA will look at those records.


View All Videos