07-27-10 | Blog Post
Online Tech brings you a new series on PCI Compliance by Adam Goslin, Co-Founder of High Bit Security, a full service security company specializing in Payment Card Industry Data Security Standards Compliance and Penetration Testing. PCI compliant hosting is important for all of our clients who hold and handle credit card information. The series will explain the six objectives of PCI DSS and how to maintain PCI compliance for your company. We hope that you find it useful and we welcome your feedback.
The next installment in this series covers the first principle of PCI DSS compliance – Build and Maintain a Secure Network.
With there being over 50 different individual requirements for this principle, leaning on the experience of a seasoned team that has implemented PCI DSS as a unit, and ongoing communication with your Qualified Security Assessor (QSA), is critical.
Upon high level read, this section appears relatively straightforward, but is found to be deceptively challenging in its implementation. This principle covers requirements to follow good SDLC (System Development Life Cycle) procedures, inclusive of change management and the documentation required to support it.
Within this principle, specific directions regarding infrastructure design are included, governing elements like: firewall placement, open ports / protocols, segregation of the internal environment such that the Card Holder Data Environment (CHDE) is separated from other non-CHDE segments of the network, infrastructure documentation and configuration.
The infrastructure planning process is critical, and the individual or company leading your organization through PCI compliance should be performing substantial up front planning with both the software and infrastructure teams so that the ultimate solution achieves the security objectives while not debilitating the performance of your software. Often, without this pre-planning, companies will have met all of the security objectives of PCI, but find late breaking functionality issues once their software is implemented into the new environment as a result of finding required communication paths closed.
This principle not only covers the firewall(s) required for the production environment, but also requires all mobile computers (company or employee owned) to employ personal firewalls.
For all of the infrastructure elements (firewalls, switches, wireless devices), need to make sure that default administrative accounts that come from the manufacturer are changed. If possible, recommend removing the default accounts that come from the vendor and establishing your own accounts on the devices. If one were to change only the administrative password, then that leaves one piece of the authentication requirements intact, thereby making it easier on the attacker.
Configuration of the servers is also covered under this principle. Requirements include removal of all unnecessary functionality, and securing non-console administrative access.
One of the elements of this principle that seems to have a wider range of interpretation is the requirement to implement only one primary function per server. Calling the primary function of a server a “security server” and accordingly all functionality for the CHDE goes onto one server would be obviously inappropriate. That said, reasonably breaking out the CHDE into primary function servers, and employing a server to host security support services can be found to be acceptable by the Qualified Security Assessor (QSA).
With the advances in virtual technology today, the above requirement is made substantially easier than in the past. Today, with only a few physical servers, companies can host dozens of virtual servers, thereby alleviating the heartburn felt in the past regarding the above requirement of one primary function per server. One important element to keep in mind is that the broader the spread of servers, the higher the ongoing costs will be long term with the required maintenance elements of PCI compliance, so best to leverage experienced resources to find the appropriate balance for your organization.
In the next blog posting, we will cover “Protection of Cardholder Data”.
Adam Goslin, Co-Founder, High Bit Security, LLC
Adam has an IT career that spans more than 15 years, recently leading the IT and Infrastructure teams of Osiris Innovations Group as the Vice-President of IT, including leading the company through achieving PCI DSS Compliance. Adam went on to found the full service security firm, High Bit Security, LLC., specializing in assisting companies looking to achieve Payment Card Industry Data Security Standards compliance; and cost effective Penetration Testing.
For more information about PCI compliance, you can email Adam at agoslin at highbitsecurity.com