Table of Contents
Requirement 1: Install and maintain a firewall configuration to protect cardholder data #
The first step to creating a secure environment for storing data and information is installing a security mechanism. In this case, it is to establish a firewall configuration and test and protect it.- 1.1 It includes establishing and implementing firewall and router configuration standards.
- 1.2 Building firewall and router configurations to restrict connections between untrusted networks and system components in the cardholder data environment. undefined
- 1.3 It does not allow direct public access between the internet and any system component within the cardholder data environment.
- 1.4 Installation of personal firewall software or any similar functionality that connects to the internet when outside the network. Firewall or an equivalent configuration should have specific configuration settings and it should be so that it cannot be altered by users. The firewall or the similar functionality should be running actively.
- 1.5 Security policies and operational procedures for protecting stored cardholder data are well documented and known to all affected parties.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters #
Requirement 2 discusses the configuration requirement of a suitable firewall mechanism for data protection. It enlists six compliance requirements and more than thirty testing processes.- 2.1 Vendor-supplied defaults should always be changed. Unnecessary default accounts should be removed or disabled before installing a system on the network.
- 2.2 It includes developing configuration standards for all system components. It has to be assured that these configuration standards address all known security vulnerabilities. These standards also have to be consistent with industry-accepted system hardening standards. The sources of the industry-accepted system hardening standards includes- CIS, ISO, SANS, NIST.
- 2.3 Strong cryptography should be used to encrypt all non-console administrative access.
- 2.4 Maintaining an inventory of system components that are in scope for PCI DSS.
- 2.5 It involves ensuring that security policies and operational procedures for managing vendor defaults and other security parameters are well documented and known to all affected parties.
- 2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data.
