How to Comply with PCI Requirement 1: Manage Your Firewall

What do you know about PCI requirement 1?

Whether you’re new to PCI DSS, or have done it for several years now, you’re likely familiar with the 12 requirements. PCI Requirement 1 deals with setting up and configuring firewalls to protect your business data.

When it comes to firewalls, many businesses think they have it covered once they purchase and plug in a firewall. However, a lot more is involved with installing and configuring a firewall to suit your business’s unique security needs.

Not all firewalls are the same. The two main types of firewall are hardware and software firewalls. Know which types of firewall to use:

• Hardware firewall: usually installed at the perimeter of an organization’s network to protect internal systems from the network. They are also used to help separate the CDE from non-CDE systems. These firewalls are generally more expensive and can be difficult to configure properly.
• Software firewall: usually used to protect a single host, such as mobile devices that can move outside the secure environment. While this type of firewall is easier to maintain and less expensive, it doesn’t protect an entire network and has fewer security options.

To properly secure your payment environment, it's recommended that you use both types, since they cater to different elements of security.

See also: SecurityMetrics PCI Guide

Configure your firewall properly

Lack of proper firewall configuration is a big cause of data breaches in many businesses. In the businesses we investigated, 76% of breached businesses didn’t have a properly configured firewall.

You’ll need to set up your firewall rules to determine what goes in and out of your network. Most firewalls come configured to either let all networks in or none in by default. They should be configured to filter both inbound and outbound traffic. If an attacker does get into the system, outbound rules can make it more difficult to export stolen data.

See also: Firewalls 101: 5 Things You Should Know

Consider managed firewall services

Configuring and maintaining your firewall can get technical and time consuming. Depending on your business environment, you should consider having a managed firewall service. This means you have another company install, configure, and manage your firewall for you. This eliminates a lot of hassle, and may save you time and resources.

Remember, you still need to make sure those managing your firewall follow the standards of the PCI DSS. Having someone else manage your firewall doesn’t get you off the hook, should you get breached.

Tips for how to comply with PCI requirement 1

Here are a few additional things to remember when fulfilling PCI Requirement 1:

• Pay attention to and review firewall logs: If your firewall is picking up that someone tried to log into your network 200 times last night, you need to be aware of that
• Review configuration rules regularly: business environments change, and your firewall rules should change along with that.
• Have help in setting up and configuring firewalls: firewalls can be a bit technical, so it’s a good idea to have a third party set it up properly

Remember, firewalls are your first line of defense. Make sure they are ready to handle attacks that may come your way.

But also note that firewalls aren’t your failsafe against data breaches. 83% of businesses breached through unsecured remote access had a firewall in place. You need to have other security protocols in place to fully protect your business’s data.

‍Having troubles getting compliant with PCI Requirement 1? Talk to us!