As organizations collect more and more user data, it becomes increasingly important to protect personal information from leaks and data theft. Some sectors, including healthcare and finance, have developed specific requirements for their overall information security. Sensitive data can be compromised without careful adherence to these security standards and regulations.
The Payment Card Industry Security Standards Council (PCI SSC) is a global forum founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. to enhance global payment account data security. Additionally, the Payment Card Industry Data Security Standard (PCI DSS) was developed to facilitate the broad adoption of consistent data security measures to help organizations avoid vulnerabilities that may lead to data breaches.
These standards apply to any entity that participates in payment card processing, including storing, processing, or transmitting cardholder data or authentication data.
The PCI Security Standards comprise a minimum set of requirements. Additional controls and practices may enhance them to mitigate other risks and comply with local, regional, and sector laws and regulations. Noncompliance with these regulations may lead to violations and fines:
- The Health Insurance Portability and Accountability Act (HIPAA) in healthcare
- Children’s Internet Protection Act (CIPA) in education and healthcare
- The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for the power grid and underlying networks
There are 12 high-level requirements of PCI DSS — the first is building and maintaining a secure network and systems. This requires installing and maintaining a firewall configuration to protect cardholder data. Physical conditions, including limiting access to the cardholder data environment (CDE), should also be met to comply with PCI DSS firewall requirements.
How to Make Sure You Comply With PCI DSS Firewall Requirements
With the sometimes complex details of information security standards, such as HIPAA compliance policies, it can be challenging to determine if you’re following every requirement to the letter. Here’s how to ensure you comply with PCI DSS firewall regulations.
Firewalls and routers are essential parts of the network architecture that govern entry and exit. In addition, configuration standards and procedures will aid in maintaining the organization’s first line of defense in terms of data security.
Network security is essential between the internal, trusted network and any untrusted network. Firewall functionality must manage traffic into and out of the organization’s network for it to be successful.
3Prevent direct public access
Internal network systems should never have untrusted connections. For example, direct access between public systems and the CDE bypasses the firewall’s protections and exposes system components to potential compromises.
4Install personal firewall software
Portable computers that access the internet outside of the corporate firewall are especially vulnerable to security threats. Firewalls protect devices from internet-based threats that use the computer to access the organization’s networks and data when it is re-connected to the network.
5Monitor and limit physical access
Limit and track physical access to CDE systems using facility entry controls and VPN (virtual private network) protection tools. Unauthorized individuals may gain access to the facility and steal, disable, disrupt, or destroy sensitive systems and cardholder data if physical access controls are not in place.
6Adhere to visitor procedures
Develop protocols to differentiate between onsite staff and visitors so unauthorized visitors cannot access areas containing cardholder data.
7Physically secure media
If cardholder data is left unprotected on disposable or portable media, printed out, or on someone’s desk, it is vulnerable to unauthorized display, copying, or scanning.
8Control media distribution
Maintain tight control over the dissemination of any media, internally or externally. Cardholder data on media provided to internal or external users can be protected by implementing procedures and processes.
9Maintain tight control over media storage
If media storage and inventory methods are lax, it may be a while before someone notices misplacement or stolen media theft.
10Carefully destroy media
Suppose data on hard disks, portable drives, CD/DVDs, or paper is not destroyed correctly before disposal. In that case, data can be recovered from the discarded media with the help of machine learning services, resulting in a data breach.
11Train employees in security procedures
Personnel should be trained, knowledgeable, and adherent to security policies and procedures.