As organizations collect more and more user data, it becomes increasingly important to protect personal information from leaks and data theft. Some sectors, including healthcare and finance, have developed specific requirements to meet as part of their overall information security. Without careful adherence to these security standards and regulations, sensitive data can be compromised.
The Payment Card Industry Security Standards Council (PCI SSC) is a global forum founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. to enhance global payment account data security. Additionally, the Payment Card Industry Data Security Standard (PCI DSS) was developed to facilitate broad adoption of consistent data security measures to help organizations avoid vulnerabilities that may lead to data breaches.
These standards apply to any entity that participates in payment card processing—including those that store, process, or transmit cardholder data or authentication data.
The PCI Security Standards comprise a minimum set of requirements. Additional controls and practices may enhance them to mitigate other risks and comply with local, regional, and sector laws and regulations. Noncompliance with these regulations may lead to violations and fines:
- The Health Insurance Portability and Accountability Act (HIPAA) in healthcare
- Children’s Internet Protection Act (CIPA) in education and healthcare
- The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for the power grid and underlying networks
There are 12 high-level requirements of PCI DSS—the first is building and maintaining a secure network and systems. This requires the installation and maintenance of a firewall configuration to protect cardholder data. Physical conditions, including limiting access to the cardholder data environment (CDE), should also be met to comply with PCI DSS firewall requirements.
How to Make Sure You Comply With PCI DSS Firewall Requirements
With the sometimes complex details of information security standards, such as HIPAA compliance policies, it can be challenging to determine if you’re following every requirement to the letter. Here’s how to ensure you comply with PCI DSS firewall regulations.
Firewalls and routers are essential parts of the network architecture that govern entry and exit. Configuration standards and procedures will aid in maintaining the organization’s first line of defense in terms of data security.
Between the internal, trusted network and any untrusted network, network security is essential. Firewall functionality must manage traffic into and out of the organization’s network for it to be successful.
3Prevent direct public access
Internal network systems should never be given untrusted connections. If there is direct access between public systems and the CDE, this bypasses the firewall’s protections and exposes system components to being compromised.
4Install personal firewall software
Portable computers that access the internet outside of the corporate firewall are especially vulnerable to security threats. Firewalls protect devices from internet-based threats that use the computer to access the organization’s networks and data when it is re-connected to the network.
5Monitor and limit physical access
Limit and track physical access to CDE systems using facility entry controls and VPN (virtual private network) protection tools. Unauthorized individuals may gain access to the facility and steal, disable, disrupt, or destroy sensitive systems and cardholder data if physical access controls are not in place.
6Adhere to visitor procedures
Develop protocols to differentiate between onsite staff and visitors so unauthorized visitors cannot access areas containing cardholder data.
7Physically secure media
If cardholder data is left unprotected on disposable or portable media, printed out, or on someone’s desk, it is vulnerable to unauthorized display, copying, or scanning.
8Control media distribution
Maintain tight control over the dissemination of any media, internally or externally. Cardholder data on media provided to internal or external users can be protected by implementing procedures and processes.
Maintain tight control over media storage
If media storage and inventory methods are lax, it may be a while before misplacement or media theft is noticed.
9Carefully destroy media
Suppose data on hard disks, portable drives, CD/DVDs, or paper is not properly destroyed before disposal. In that case, data can be recovered from the discarded media with the help of machine learning services, resulting in a data breach.
10Train employees in security procedures
Personnel should be trained, knowledgeable, and adherent to security policies and procedures.