A Detailed Analysis of PCI DSS Requirements One And Two

The PCI DSS is a detailed list of 12 requirements that any merchant who stores, processes, or transmits sensitive credit card data must adhere to. These requirements were developed by the five major credit card companies as a way for merchants to have a standard and a measure by which they can judge their own level of security and discover the areas that need improvement.

The integrity of the Payment Card Industry is, of course, supremely important to the credit card companies, and, as such, they have instituted the highest level of security requirements they can. That means that the PCI DSS is not necessarily easy or cheap to accomplish. However, given the increasing level of consumer suspicious around giving out sensitive information, PCI compliance becomes crucially important.

So where do you start? The beginning is always a good choice, as these are some foundational items that will help hold up the rest of your PCI DSS endeavors.

The first requirement of the PCI DSS states that you must install and maintain a firewall configuration to protect cardholder data. A firewall is a computer device that controls the traffic that is allowed into or out of your network. Firewalls can also control internal traffic around the more sensitive areas of a network. It simply examines everyone who is trying to access the network (or certain areas of a network) and denies access if they don't meet certain criteria.

You must make sure that all your systems are protected from unauthorized users on the Internet. Often the worst breaches come from seemingly innocuous areas, and the strangest paths may lead to incredibly sensitive data.

Your firewall configuration must include a formal process for approving and testing all external network connections. You must also have a network diagram with all connections to cardholder data listed. You must also list a description of group roles and responsibilities so that you can clearly manage and assign responsibility to different sections of the network.

A merchant is also required to provide a list of service ports necessary for the business and justification and documentation for any available protocols besides HTTP, SSL, and SSH. What this means is that if you are going to allow risky behavior and protocols you need to have a good reason for it. Risky protocols could include FTP. You'll need to list why it's allowed and what security measures are in place to protect yourself.

A firewall should automatically block traffic from untrusted sites and hosts. It should also limit connections between publicly accessible servers and any system that is storing cardholder data. This means not allowing internal addresses to pass from the Internet into the DMZ, and restricting inbound traffic to IP addresses within the ingress filters.

Of course, all inbound and outbound traffic should only be that which is necessary for the cardholder data environment. You simply deny all other inbound traffic not specifically allowed.

You must then make sure that you are prohibiting direct public access between external networks and any system that stores cardholder data.

Requirement two of the PCI DSS states that you must not use vendor-supplied defaults for system passwords and other security parameters. What this refers to is the unfortunate occurrence of a new system being installed and left "as is." Many systems have certain default passwords for testing purposes already installed. The problem here is that most of these passwords have already made it into the hacker community, and they are the first things a hacker will try.

Part of this requirement is that you disable all unnecessary and unsecured services and protocols. Again, if you just leave everything on the system as it was when it was installed, then criminals can take advantage of these bloated areas and find a way into your system.

This is, of course, just the beginning of the PCI DSS requirements. But they are a good place to start, and they are absolutely necessary. As a jumping off point to the rest of the PCI DSS, when you have these requirements in place, and you have greater control over your network and systems, you'll be ready to start the more complex parts of the Data Security Standard.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the PCI DSS, or reaching PCI compliance, visit Braintree Payment Solutions today.