Requirement 1 of PCI DSS v4 focuses on installing and maintaining network security controls (NSCs) to protect cardholder data. In this blog post, we'll dive into the key aspects of Requirement 1 and discuss how organizations can effectively implement these security measures.
The Importance of Network Security Controls Network security controls are crucial in preventing unauthorized access to sensitive cardholder data. Requirement 1 ensures that organizations have well-defined processes and mechanisms for installing and maintaining these controls. By implementing firewall and router configuration standards, documenting network diagrams, and restricting network access, organizations can significantly reduce the risk of data breaches.
Requirement 1.1: Processes and mechanisms for installing and maintaining network security controls are defined and understood.
Purpose:
Requirement 1.1 ensures that organizations have well-defined and comprehensible processes and mechanisms for installing and maintaining network security controls. This requirement aims to establish a strong foundation for network security by ensuring that all relevant parties understand their roles and responsibilities in protecting cardholder data.
Good Practice / Guidance:
1.1.1 Documentation:
All security policies and operational procedures identified in Requirement 1 should be documented, kept up to date, actively used, and known to all affected parties. It is important to update these documents promptly after any changes occur, rather than only on a periodic basis.
1.1.2 Roles and Responsibilities:
Roles and responsibilities for performing activities in Requirement 1 should be clearly documented, assigned, and understood by all relevant personnel. These roles and responsibilities can be documented within policies and procedures or maintained in separate documents. To ensure accountability, organizations should consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
Requirement 1.2: Network security controls (NSCs) are configured and maintained.
Purpose of Requirement 1.2:
Requirement 1.2 focuses on the proper configuration and maintenance of network security controls. This requirement ensures that NSCs are consistently configured and managed to perform their security functions effectively, thereby protecting the cardholder data environment (CDE) from unauthorized access and potential threats.
Good Practice / Guidance:
1.2.1 Configuration Standards:
Configuration standards for NSC rulesets should be defined, implemented, and maintained. These standards should outline acceptable protocols, permitted ports, and specific configuration requirements, as well as what the organization considers unacceptable or not permitted within its network.
1.2.2 Change Management:
All changes to network connections and NSC configurations should be approved and managed through a formal change control process, as defined in Requirement 6.5.1. Changes should be approved by authorized personnel with the appropriate knowledge to understand the impact of the change, and verified after implementation to ensure they do not adversely affect network security.
1.2.3 Network Diagrams:
Organizations should maintain accurate and up-to-date network diagrams that show all connections between the CDE and other networks, including wireless networks. These diagrams should include all locations, clearly labeled network segments, security controls providing segmentation, and all in-scope system components. Regular updates to the diagrams should be made by authorized personnel.
1.2.4 Data Flow Diagrams:
Accurate data flow diagrams should be maintained to show all account data flows across systems and networks. These diagrams should be updated as needed to reflect changes in the environment and should include all connection points, processing flows, storage locations, and entities with which account data is shared.
1.2.5 Allowed Services, Protocols, and Ports:
All services, protocols, and ports allowed should be identified, approved, and have a defined business need. The security risks associated with each should be understood, and approvals should be granted by personnel independent of those managing the configuration.
1.2.6 Insecure Services, Protocols, and Ports:
Security features should be defined and implemented for all services, protocols, and ports that are in use and considered insecure. The specific risks associated with these should be understood, assessed, and appropriately mitigated.
1.2.7 NSC Configuration Review:
Configurations of NSCs should be reviewed at least once every six months to confirm their relevance and effectiveness. This review ensures that only authorized connections with current business justifications are permitted and helps identify any outdated or incorrect rules and configurations.
1.2.8 Configuration File Security:
Configuration files for NSCs should be secured from unauthorized access and kept consistent with active network configurations. This ensures that correct settings are applied whenever the configuration is run, preventing unauthorized configurations from being applied to the network.
Requirement 1.3: Network access to and from the cardholder data environment is restricted.
Purpose:
Requirement 1.3 aims to restrict network access to and from the cardholder data environment (CDE) to prevent unauthorized traffic from entering or leaving the CDE. By limiting network access, organizations can reduce the risk of malicious individuals gaining access to sensitive cardholder data or compromised system components communicating with untrusted external hosts.
Good Practice / Guidance:
1.3.1 Inbound Traffic Restrictions:
Inbound traffic to the CDE should be restricted to only necessary traffic, with all other traffic specifically denied. This helps prevent malicious individuals from accessing the organization's network using unauthorized IP addresses, services, protocols, or ports. All inbound traffic, regardless of its origin, should be evaluated to ensure it follows established, authorized rules and is restricted to only authorized communications.
1.3.2 Outbound Traffic Restrictions:
Outbound traffic from the CDE should be restricted to only necessary traffic, with all other traffic specifically denied. This prevents malicious individuals and compromised system components within the organization's network from communicating with untrusted external hosts. All outbound traffic, regardless of its destination, should be evaluated to ensure it follows established, authorized rules and is restricted to only authorized communications.
1.3.3 Wireless Networks:
Network security controls (NSCs) should be installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE. By default, all wireless traffic from wireless networks into the CDE should be denied, and only wireless traffic with an authorized business purpose should be allowed into the CDE. This helps prevent malicious individuals from gaining unauthorized access to the wireless network and connecting to the CDE, compromising account information.
Requirement 1.4: Network connections between trusted and untrusted networks are controlled.
Purpose:
Requirement 1.4 focuses on controlling network connections between trusted and untrusted networks to prevent unauthorized traffic from traversing network boundaries. By implementing network security controls (NSCs) and restricting traffic between these networks, organizations can reduce the risk of malicious actors gaining access to sensitive data or system components.
Good Practice / Guidance:
1.4.1 Implementing NSCs:
NSCs should be implemented between trusted and untrusted networks to prevent unauthorized traffic from crossing network boundaries. Placing NSCs at every connection point between trusted and untrusted networks allows the organization to monitor and control access, minimizing the chances of a malicious individual obtaining access to the internal network via an unprotected connection.
1.4.2 Restricting Inbound Traffic:
Inbound traffic from untrusted networks to trusted networks should be restricted to communications with system components authorized to provide publicly accessible services, protocols, and ports, and to stateful responses to communications initiated by system components in a trusted network. All other traffic should be denied. This helps prevent malicious actors from accessing the organization's internal network from the Internet or using services, protocols, or ports in an unauthorized manner.
1.4.3 Implementing Anti-Spoofing Measures:
Anti-spoofing measures should be implemented to detect and block forged source IP addresses from entering the trusted network. This prevents packets with spoofed IP addresses from appearing as if they originate from the organization's internal network, providing an additional layer of protection against unauthorized access.
1.4.4 Protecting Cardholder Data Storage:
System components that store cardholder data should not be directly accessible from untrusted networks. Ensuring that cardholder data storage systems can only be directly accessed from trusted networks adds an extra layer of defense, making it more difficult for external attackers to reach these critical system components.
1.4.5 Limiting Disclosure of Internal Network Information:
The disclosure of internal IP addresses and routing information should be limited to authorized parties only. Restricting access to this sensitive network information helps prevent hackers from obtaining knowledge that could be used to gain unauthorized access to the organization's network.
Requirement 1.5: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Purpose:
Requirement 1.5 aims to mitigate the risks posed by computing devices that can connect to both untrusted networks (including the Internet) and the cardholder data environment (CDE). These devices, such as company-owned or employee-owned laptops, tablets, and smartphones, are more vulnerable to Internet-based threats and could potentially introduce malware or other threats into the organization's network when reconnecting to the CDE.
Good Practice / Guidance:
1.5.1 Implementing Security Controls:
Security controls should be implemented on any computing devices, including company-owned and employee-owned devices, that connect to both untrusted networks and the CDE. These controls may include:
- Specific configuration settings designed to prevent threats from being introduced into the entity's network. These settings should be consistent with the organization's network security policies and procedures.
- Active security controls, such as host-based firewalls, endpoint protection solutions, network-based heuristics inspection, or hardware-based controls, to protect devices from Internet-based attacks.
- Restrictions on users' ability to alter security controls on their devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.
In cases where there is a legitimate need to temporarily disable security controls on a device that connects to both an untrusted network and the CDE (e.g., for maintenance or troubleshooting), the reason for taking such action should be understood and approved by an appropriate management representative. The disabling or altering of these security controls should only be performed by authorized personnel.
It is important to recognize that administrators may have privileges that allow them to disable security controls on their own devices. To mitigate this risk, organizations should implement alerting mechanisms to notify relevant parties when such controls are disabled and follow up to ensure that proper processes were followed.