1/4/2014 Author: Felicia

Payment Card Industry (PCI) standards have recently changed. The new version of PCI DSS 3.0 was published in November 2013. You may want to visit the PCI Standards Security Council website. You can find the PCI 3.0 DSS full document here. And you can find the version 2.0 to 3.0 changes here.

I thought it would be helpful to give you a condensed list of pointers to follow. You can use this as a simple guideline to determine if there are gaping holes in your network design regarding PCI. Please note that his list is NOT designed to be comprehensive. For a full list of PCI compliance standards, refer to the PCI Standards Security Council documentation.

Network Security and PCI

Here is a brief list of network design and security considerations that must be employed when creating a PCI compliant network configuration.

• The POS (point of sale) network where PCI transactions occur has to be segmented from the regular business LAN.
• This POS network should not have any wireless on it unless it is strictly controlled and specified to the highest security standards. No guest access is allowed under any circumstances.
• The POS network should have strict egress whitelist filtering policies. If you don't know what that is, contact a qualified consulting company like QPC.
  In brief, the only traffic allowed to leave the PCI network is that which is explicitly allowed. The firewall would NOT have an enabled any packet outgoing policy.
• Two-factor authentication must be used for any remote access systems.
• Remote access for an external vendor, such as the POS support company, cannot be on by default.
• It's a good idea to have a unique LAN for POS systems so that they can stay in their own little protected environment without impact while other network design changes occur on other LANs.
• DLP (digital loss prevention) rules are a very good rule to have configured on the firewall.
• The firewall should be configured to send log data to a reporting and logging server where compliance reports can be automatically generated on a regular schedule.
• POS computers should have software patches installed within 48 hours of a patch's release date. PCI standards require within 30 days.
• Users should NOT be browsing the internet or doing email on POS systems. POS systems should be used only for POS functions.

QPC regularly manages firewalls for organizations that must comply with HIPPA and PCI. QPC uses best in class WatchGuard security equipment with extensive custom programming to create multi-layered defense in depth strategies. Additionally, QPC configures WatchGuard's logging server and Dimension product to provide clients with the reports they need to have visibility into what is going on with their network and systems.

QPC also has a comprehensive systems management platform that typically installs updates on managed systems within 48 hours of the patch becoming publicly available. QPC also uses robust and feature-rich host-based security software on all managed systems to provide protection to managed systems wherever they are.

If you have a business that is subject to HIPPA or PCI compliance requirements, you should audit your systems to make sure that an adequate security strategy is in place.