Friday 7 May 2021

Achieving PCI DSS Compliant Firewalls within a Small Business

The most important and integral part of any data security begins with having firewalls installed in the environment. Not just that, installing firewalls is an essential requirement of the Payment Card Industry Data Security Standard (PCI DSS). However, simply installing a firewall on the network perimeter will not make your organization PCI DSS compliant.

PCI DSS draws out specific requirements pertinent to firewalls under requirement 1 and its sub-requirements on how firewalls should be installed, updated, maintained along with other firewall rules. Elaborating more on this, we have explained in this article basic PCI DSS firewall requirements, and the need for small businesses to install firewalls. But before getting into the details of it, let us first understand the meaning of a PCI DSS compliant firewall.

What is a PCI DSS Compliant Firewall?
Firewalls are used to segment or isolate networks and are an essential component to limit cyber threats and protect internal networks from the internet and untrusted networksIn a merchant’s point-of-sale environments (POS), a firewall's purpose to restrict only specific permitted network traffic into and out of the POS network environment.

However, if misconfigured and unmaintained, a firewall could fail to adequately protect
 networks and IT systems that process payment cards. The PCI Security Standards Council have provided requirements and guidance for firewalls to ensure the merchants and service providers, correctly deploy and maintain firewalls.

PCI Firewall Requirements
The PCI DSS firewall requirements cover both technical specifications and physical access controls requirements within PCI DSS requirements 1 & 9.  This includes planning for future updates, reconfiguration, limiting only relevant inbound network traffic, etc. The physical access requirements are more about ensuring that companies limit physical access to the Cardholder Data Environment (CDE). This would include inspecting card reading devices for identifying any tampering of devices, installing monitoring devices, the requirement of unique IDs for authorized access, and visitor logs to name a few. 

To understand the technical requirements, let understand the PCI DSS firewall requirements summarised below for your better understanding.





Protect cardholder data with a firewall.

Firewalls are a key protection mechanism for securing the network and Cardholder Data Environment.


Establish and implement firewall and router configuration standards.

Ensure establishing firewall and router configuration standards and other documentation to verify that standards are complete and implemented.


Establish a formal process to validate and test all network connections, changes to firewall and router configurations.

Established documented procedures to verify there is a formal process for testing and approving network connections, changes to firewall and router configurations. This would even include interviewing responsible personnel and examining records periodically to verify that, network connections and a sample of actual changes made to firewall and router configurations are approved and tested.


Establish a network diagram to identify all connections between the cardholder data environment and other networks, including any wireless networks

Create network diagrams that describe how networks are configured, and identify the location of all network devices. This prevents the possibility of any area being overlooked and unknowingly left out of the security controls implemented for PCI DSS and vulnerable to compromise


Establish a data flow diagram that shows all cardholder data flows across systems and networks.

Create a data-flow diagram to identify the location of all cardholder data in the environment. This will help you in understanding and tracking the flow of the data in the environment across systems and networks. Further, the data flow must be kept up to date as needed depending on the changes to the environment.


Establish firewalls at each Internet connection between the DMZ and the local network.

The firewall on every Internet connection coming into the network, and between any DMZ and the internal network, allows the organization to monitor and control access. This further minimizes the chances of malicious unauthorized access to the internal network via an unprotected connection.


Create descriptions of groups, roles, and responsibilities for managing network components.

Establish roles and responsibilities for the management of network components. This is to ensure that personnel is aware of their roles and responsibilities pertaining to the security of all network components. This helps facilitates better accountability for the security of the CDE.


Document the security measures implemented and protocols considered unsafe and the business rationale for using all services, protocols, and ports allowed.


Implementing documentation of services, protocols, and ports that are necessary for business can prevent a compromise that is otherwise caused due to the unused or insecure service and ports. Further, the use of any necessary protocol and ports should be justified, and the security features that allow these protocols to be used securely should be documented and implemented.


Review firewall and router rules at least every six months


Organizations must periodically review firewall and router rules at least every six months to clearly unwanted outdated, or incorrect rules and ensure establishment rule that allows only authorized services and ports that match the documented business justifications.


Restrict connections between untrusted networks and all system components in the cardholder data environment with firewall and router configurations

Install network protection between the internal, trusted network and any untrusted network that is external and/or out of one's ability to control or manage. This is to limit traffic and prevent any kind of vulnerability and unauthorized access by malicious individuals or software.


Restrict inbound and outbound traffic to only that is necessary for the cardholder data environment, and limit all other traffic.

Examine all inbound and outbound connections and set restrictions of traffic based on the source and/or destination address. This helps filter out unnecessary traffic and prevents malicious individuals from accessing the network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner.


Install perimeter firewalls between all wireless networks and the cardholder data environment and configure these firewalls to filter only the authorized traffic for business purposes.

Firewalls must be installed between all wireless networks and the CDE, which may include, but is not limited to, corporate networks, retail stores, guest networks, warehouse environments, etc. Installing firewalls at the network perimeter works as a filter to limit only authorized traffic. This restricts malicious individuals from gaining unauthorized access to the wireless network and the CDE to compromise account information.


Prohibit direct public access between the internet and any system components in the cardholder data environment.


Firewalls must be installed to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. This prevents bypassing and compromise of system components and card data.



Create a demilitarized zone (DMZ) to limit incoming traffic to system components that only provide publicly accessible authorized services, protocols, and ports.

Implementing DMZ prevents malicious individuals from accessing the organization's internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner.


Implement anti-spoofing measures to detect and prevent fraudulent source IP addresses from entering the network.

Implement anti-spoofing measures to filter forged IP addresses entering the internal network and causing compromise.


Do not allow unauthorized traffic from the cardholder data environment to the internet.

Evaluate all traffic outbound from the cardholder data environment to the internet to ensure that it follows established, authorized rules and restricts traffic to only authorized communications.


Allow only established connections to the network.

Examine the firewall and router configurations to verify that the firewall permits only established connections into the internal network and blocks any inbound connections not associated with a previously established session. This prevents malicious traffic from trying to trick the firewall into allowing the connection.


Install personal firewall software on all portable computing devices connected to the internet and access the CDE while off the network.

Installing personal firewall software or equivalent functionality on any portable computing device protect devices from Internet-based attacks, that use the device to gain access to the organization's systems and data once the device is reconnected to the network.


Ensure that security policy and operational procedures for the management of firewalls are documented in use and are known to all parties concerned.

Ensure that the security policies and operational procedures for managing firewalls are documented, in use, and personnel responsible are aware of it. This is to manage and prevent unauthorized access to the network.

Why does a small business need to have PCI Compliant Firewall?
Poor firewall implementation and maintenance is a common factor in cyber attacks and payment card data thefts within small businesses, which is often due to poor IT security understanding and suitable resources by IT and business management. All business connectivity with the internet poses the greatest risk to safeguard with a firewall. PCI DSS requirement all
internet connectivity to be protected with a firewall, which effectively creates a ‘buffer zone’ between the business's IT network or systems, and untrust external networks and systems. Other reasons why firewalls are essential for small business include:

Access Controls
The firewall operates at the network layer, filtering all incoming requests based on IP address and the service being accessed such as web or email or some customised ports. So, installing firewalls to a great extent restricts unauthorized access and prevents entry of any malicious individuals gaining unauthorised access to the network and compromise any data.

Cloud Security

Connectivity with third parties and cloud service providers can also be controlled through a firewall policy, to safeguard from supply chain threats and protect sensitive data from exposure.

Malware Protection
Firewalls are much more than just filtering network traffic based on IP addresses. 'Next Generation firewalls provide security controls beyond the traditional firewall controls of IP address and port filtering. Such as providing VPNs, web filtering capabilities, anti-malware screening of incoming traffic, and intrusion detection/prevention which is another PCI DSS requirement. 

Application and Database Protection
Some firewalls have web application screening capability and are known as Web Application Firewalls (WAF). A correctly configured WAF provides protection from application-layer threats such as web-based attacks like SQL injections, where an attacker manipulates a web application to expose the back-end database. PCI DSS requirement 6.6 requires installing an automated technical solution that detects and prevents web-based attacks (e.g., a web application firewall) as one of two ways to address vulnerabilities to public-facing web applications.

Monitoring and Responding to Malicious Activity
Firewalls monitor and report suspicious attacks, with the support of a 'Security Information and Event Management' (SIEM) tool, the business is able to detect and quickly respond to cyber-attacks, which is covered by PCI DSS requirement 10.

Smaller businesses are considered easy prey by hackers, due to the tendency of such firms not having sufficiently robust IT security controls in place. Small businesses which process payment cards are specifically targeted by cybercriminals, as they can quickly turnaround stolen credit card data into cash via the dark web. Installing and maintain a firewall is a fundamental and basic IT security pillar that should never be neglected and underestimated in its importance, along with configuring IT systems to be secure, implementing access control, deploying anti-virus, and keeping all software up-to-date. PCI DSS provides a highly descriptive set of security industry good practice IT controls, which if completely adhered to on a continual 24/7/365 basis, is sufficient to protect your business from payment card compromises by cybercriminals.

Author Bio
Narendra Sahoo
(PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

No comments: