PCI DSS compliance for firewalls: It doesn’t have to be complex

The Payment Card Industry Data Security Standard (PCI DSS) has placed considerable pressure on retail industry IT security teams. Although there are various categories of “pressures,” from a high level they could be broken down into two: security and compliance. Not only do security teams have to create a secure environment, they must also prove it. The burden to ensure both security and compliance isn't going to ease; the current economic situation that's forcing IT to accomplish more with less is only adding to the problem.  

As an IT security professional working in the retail payment card industry, you know that your primary mission is to keep the network running smoothly so that card transactions continue to flow. You also know that ensuring that cardholder information is kept secure is equally vital. No one needs to be reminded of the TJX catastrophe.

A question IT security professionals need to ask themselves is, “How do I find enough time and resources to provide security and prove compliance?” After all, it can take days and even weeks to sift through piles of logs in order to piece together an auditor-friendly compliance report.

As an IT security administrator, you know that firewalls are one of your network's primary access, security and PCI DSS compliance technologies, and that they are going to be scrutinized in PCI DSS audits. When it comes to firewalls and PCI DSS, there are some key proactive steps you can take to better prepare for an audit or to simply adhere to guidelines. Take some time to address these fundamentals and you are well on your way to meeting the objectives of a number of the PCI control items.

  • Do the simple things right. Implement a clean-up rule, a limited administrative access policy that uses encrypted protocols and anti-spoofing. Failure to take such steps is a clear sign of ineffective management and will likely result in greater scrutiny, leaving you in a tough position from which to negotiate other, more nuance issues.
  • Simplify. Complexity negatively impacts compliance and security. Firewalls — bloated with hundreds or thousands of rules — are extremely difficult to manage. It is also very difficult to understand what the firewall policy is actually allowing or denying when it becomes overly complex. This complexity leads to mistakes and security gaps and makes it challenging to answer the auditor's "simple" question of what is allowed into your cardholder data environment. To improve this situation, spend time simplifying your existing policies; the first step towards simplification is to remove unnecessary rules. Research shows that up to 30 percent of a firewall's policies aren't needed, and today, automated tools exist that identify unused rules. Save yourself a lot of work and simplify your policy before you go about evaluating compliance.
  • The firewall is your friend. Use your firewall to segment cardholder information from the rest of your network. You can significantly reduce the scope of any PCI audit by simply limiting what parts of your network host, pass or interact with cardholder data. Take advantage of this opportunity to simplify the process and significantly reduce the cost of the PCI audit.
  • There are no check boxes. PCI compliance is not a check box process, and don't believe any vendor that promises their solution will make you compliant. Compliance is a great sales tool as so many customers are impacted by the regulation, but anyone who suggests you will be compliant by using their firewall or a tool that grades your PCI compliance is probably lying. An automated tool evaluating a firewall must provide customization so the user can define what is "required." Only then will the report be valid. To presume knowledge of what is necessary is a clear over-simplification of the problem.
  • Document, document, document. Security is about more than just security, it's also about proving it. There are at least five control items that demand documentation for the justification of firewall configurations (this is what makes PCI a very valid compliance guideline). The uniqueness of each enterprise environment demands configuration justification. Uniqueness empowers firewall administrators to configure the right solution for their environment. Make sure to document the justification and be able to provide that documentation to the auditor — this will put you way ahead of the game.  Of course, this has a big benefit on security as well. If you are diligent enough to document the purpose of each rule in a firewall, you are likely to discover some rules that simply don't have sufficient justification – rules that can be changed or removed.
  • It is a negotiation. Auditors and administrators get a say in the compliance matter. The auditors should have a firm grasp on the regulation and the intent to protect the cardholder data. Similarly, the administrator should have a very good handle on the firewall policy and security configuration. There are likely to be configurations that cause the auditor to raise questions, and you need to be prepared with the justification for the configuration.  By demonstrating a clear understanding of the firewall policy and by providing justification, you will likely pass the audit.
  • The mission never complete. When the auditor walks out of the door, the job of compliance is not complete. The PCI Council and card brands require an organization to always remain in a state of compliance with all 228 PCI audit requirements, even when the Qualified Security Assessor (QSA) is not on site. Of course, ensuring compliance continuously is not an easy task if done manually. Setting up an automated process to assist with evaluating continued compliance is key. Make sure your choice of tool is customizable and can be configured to meet your requirements.  


Jody Brazil

Jody is a seasoned entrepreneur with more than two decades of executive management experience and deep domain expertise in network security, including network security management and product development. Jody was previously the CTO at FishNet Security and CEO at Firemon and DisruptOps.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.