Getting Compliant with PCI Requirement 1: The Basics in Managing Your Firewall

What do you know about your firewall? 

Whether you’re new to PCI DSS, or have done it for several years now, you’re likely familiar with the 12 requirements. PCI Requirement 1 deals with setting up and configuring firewalls to protect your business data.

When it comes to firewalls, many businesses think they have it covered once they purchase and plug in a firewall. However, a lot more is involved with installing and configuring a firewall to suit your business’s unique security needs.
Here are some things to keep in mind when fulfilling PCI Requirement 1.

Know which types of firewall to use

Not all firewalls are the same. The two main types of firewall are hardware and software firewalls.
  • Hardware firewall: usually installed at the perimeter of an organization’s network to protect internal systems from the network. They are also used to help separate the CDE from non-CDE systems. These firewalls are generally more expensive and can be difficult to configure properly. 
  • Software firewall: usually used to protect a single host, such as mobile devices that can move outside the secure environment. While this type of firewall is easier to maintain and less expensive, it doesn’t protect an entire network and has fewer security options. 
To properly secure your payment environment, it's recommended that you use both types, since they cater to different elements of security.

Configure your firewall properly 

Lack of proper firewall configuration is a big cause of data breaches in many businesses. In the businesses we investigated in 2015, 76% of breached businesses didn’t have a properly configured firewall.

You’ll need to set up your firewall rules to determine what goes in and out of your network. Most firewalls come configured to either let all networks in or none in by default. They should be configured to filter both inbound and outbound traffic. If an attacker does get into the system, outbound rules can make it more difficult to export stolen data.

SEE ALSO: Firewalls 101: 5 Things You Should Know

Consider managed firewall services

Configuring and maintaining your firewall can get technical and time consuming. Depending on your business environment, you should consider having a managed firewall service. This means you have another company install, configure, and manage your firewall for you. This eliminates a lot of hassle, and may save you time and resources.

Remember, you still need to make sure those managing your firewall follow the standards of the PCI DSS. Having someone else manage your firewall doesn’t get you off the hook, should you get breached.

Learn more about our Managed Firewall Service! 

Additional tips to consider

Here are a few additional things to remember when fulfilling Requirement 1:
  • Pay attention to and review firewall logs: If your firewall is picking up that someone tried to log into your network 200 times last night, you need to be aware of that 
  • Review configuration rules regularly: business environments change, and your firewall rules should change along with that. 
  • Have help in setting up and configuring firewalls: firewalls can be a bit technical, so it’s a good idea to have a third party set it up properly 
Remember, firewalls are your first line of defense. Make sure they are ready to handle attacks that may come your way.

But also note that firewalls aren’t your failsafe against data breaches. 83% of businesses breached through unsecured remote access had a firewall in place. You need to have other security protocols in place to fully protect your business’s data.

Having troubles getting compliant with PCI Requirement 1? Talk to us! 

SecurityMetrics NIST 800-30 Risk Assessment

Use a framework when making your risk assessment.  

Do you know where your business is struggling in security? Are you compliant with all government and financial mandates? Do you  know where to get started?

While risk assessments are a good place to start in securing your business’s data, many businesses aren’t sure where to start with even a risk assessment. It can be difficult to put together a list of all possible risks a business may have in an organized, understandable document.

SecurityMetrics noticed this problem and looked into what could be done to help businesses put together their risk assessments quickly and efficiently. That’s where the NIST 800-30 Risk Assessment comes in.

This is a framework created by the NIST to conduct a thorough risk analysis for your business. It meets the requirements for many compliance mandates, like PCI DSS, HIPAA, EI3PA, GBLA, FISMA, and SOX.

SEE ALSO: The Basics of a Risk Assessment: Why Your Business Needs One

How does the process work? 

To effectively manage and address risks in your business, having this assessment will guide your efforts in moving forward.
Here’s a quick look at the NIST 800-30 risk management process.
  1. Prepare for Assessment – Identify the purpose and scope of the assessment. Determine how and where sensitive data is created, transmitted, and stored 

  2. Threat Sources and Events – Identify the type of threat sources your organization faces (e.g. adversarial, accidental, structural, environmental) and the events the sources could trigger (e.g. phishing, power outage, etc.)

  3. Vulnerabilities and Predisposing Conditions – Through identifying threats, you find vulnerabilities, which can be associated to information systems or environments where those systems operate. This will also identify predisposed conditions to consider during the risk assessment
  4. Determine Likelihood of Occurrence – Using different tiers, determine the likelihood of threat events occurring and causing adverse impacts

  5. Determine Magnitude of Impact – Once likelihood of occurrence is determined, use tiers to determine the impact of threat events 

  6. Risk Determination – Combining the likelihood and the magnitude of the impact of a threat determine the risk to the organization 
  7. Informing Risk Response (Communicate Results)–Ensure the appropriate people inside the organization know the appropriate risk-related information to inform and guide decision-making 
  8. Maintain Assessment – Monitor risk factors identified in the risk assessment and update the risk assessment as threats, vulnerabilities, and risks change 

Why choose SecurityMetrics?

When you come to us for your NIST 800-30, you get additional benefits, including:
  • Compliance Vendor –We have expertise in PCI assessments, forensic incident response, vulnerability scanning, penetration testing, card data discovery, security appliances, PA-DSS application security assessments, P2PE assessments, HIPAA assessments, training, and consulting. SecurityMetrics is one of only a few companies that hold credentials for all aspects of PCI 
  • Open and Ongoing Relationship – Whenever compliance questions or worries arise, SecurityMetrics’ compliance professionals will work with you to address your concerns 
  • Accurate and Understandable Results – SecurityMetrics gives you the facts on every aspect of your assessment through an easy-to-understand online reporting console 

  • Single Point of Contact – To keep communication lines open and eliminate confusion, SecurityMetrics assigns a single point of contact for each assessment

Need help in getting your business secure? Talk to us!

SecurityMetrics Audit for SANS Top 20 Critical Security Controls for Cyber Defense

Learn more about how your organization can fight cyberattacks. 

SANS top 20 CSCCan your business withstand a cyberattack? How sure are you?

With the SANS institute, the Center for Internet Security created a list of Top 20 critical security
controls to protect organizations from cyberattacks. SecurityMetrics has created a new audit based off these Top 20 Security Controls.

How does the audit work?

The audit assesses these particular critical security controls and how your business is implementing them. Once these controls are assessed, a SecurityMetrics auditor will then help your organization to improve your cyber security status.

SEE ALSO: Top 5 Security Vulnerabilities Every Business Should Know

SANS Top 20 Critical Security Controls

Want to know about these top security controls? Here’s a quick list.
  • CSC 1: Inventory of Authorized and Unauthorized Devices—Actively manage (all hardware devices on the network
  • CSC 2: Inventory of Authorized and Unauthorized Software—Actively manage (inventory, track, and correct) all software on the network
  • CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers—Establish, implement, and actively manage the security configuration of laptops, servers, and workstations
  • CSC 4: Continuous Vulnerability Assessment and Remediation—Continuously acquire, assess, and take action on new information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers
  • CSC 5: Controlled Use of Administrative Privileges—The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications
  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs—Collect, manage, and analyze audit logs of events to help detect, understand, or recover from an attack
  • CSC 7: Email and Web Browser Protections—Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems
  • CSC 8: Malware Defenses—Control the installation, spread, and execution of malicious code at multiple points in the enterprise
  • CSC 9: Limitation and Control of Network Ports, Protocols, and Services—Manage the
    Critical security controls
    ongoing operational use of ports, protocols, and services on networked devices to minimize windows of vulnerability available to attackers
  • CSC 10: Data Recovery Capability—The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
  • CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches—Establish, implement, and actively manage the security configuration of network infrastructure devices
  • CSC 12: Boundary Defense—Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data
  • CSC 13: Data Protection—The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information
  • CSC 14: Controlled Access Based on the Need to Know— The processes and tools used to track/control/prevent/correct secure access to critical assets based on which persons, computers, and applications have a need and right to access
  • CSC 15: Wireless Access Control—The processes and tools used to track/control/ prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems
  • CSC 16: Account Monitoring and Control—Actively manage the life cycle of system and application accounts to minimize opportunities for attackers to leverage them
  • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps—For all functional roles in the organization, identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs
  • CSC 18: Application Software Security—Manage the security life cycle of all in-house developed and acquired software to prevent, detect, and correct security weaknesses
  • CSC 19: Incident Response and Management—Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure plan 
  • CSC 20: Penetration Tests and Red Team Exercises—Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker
Need an audit? Talk to us!

SecurityMetrics Guide to PCI DSS Compliance
7 PCI Compliance Tips for Small Businesses

Learn some easy solutions to your security problems.  

By: Zach Walker
When it comes to PCI compliance, small businesses have their own unique struggles with securing their data. While smaller businesses have less card data to process and store than large businesses, they have fewer resources and smaller budgets for security.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

A lot of businesses also have difficulty implementing PCI requirements in a way that actually protects their data. Instead, many small businesses will treat PCI as a checklist and do the minimum, without thinking of applying it to data security.

These businesses also don’t fully leverage standards and practices by the PCI DSS to improve and secure their environment. They’re more concerned with becoming PCI compliant than secure.
Here are 7 tips for small businesses to get PCI compliant and properly secure their data.

1. Create policies and procedures

Smaller businesses are often less likely to consistently follow established policies and procedures. Since they only have a handful of systems and few personnel with administrative access, they see following set policies as a waste of time.

However, setting up policies and procedures helps ensure that these security procedures are actually being followed.

  • Document all your policies and have them accessible to your employees
  • Scope out your environment and document what part of your environment needs to be secure 
  • Make sure your employees are all trained on these policies

2. Update documentation

Many small businesses often view change control and documented hardening standards as busywork. As a result, many small businesses rarely document their security controls, if they’re following them at all.

One way to simplify documentation for compliance is to set up a PCI email user or active directory account for PCI and add reminders in the calendar to make sure required security processes aren’t forgotten. Evidence collected from completing PCI compliance tasks can then be stored in this account.

This is a low/no-cost solution to help your employees keep PCI compliance on their minds throughout the year and provide you with all the evidence you need for assessments.

  • Document all changes to your security environment
  • Set up up a regular schedule for documentation purposes
SEE ALSO: 5 Simple Ways to Get PCI Compliant

3. Train yourself and your employees

A big problem many small businesses have with PCI compliance is they don’t know all that much about security. Many business owners think they don’t need to worry about security, but it is something they should be worried about.

You’ll need to train yourself and your employees on your policies and make sure they understand PCI compliance as well as they should.

Employees need to be aware of their surroundings: a lot of things happen because they’re not paying attention. 77% of employees leave their computers unattended. Locking your screen when you step away immediately increases security.

  • Set up quarterly, if not monthly training meetings for employees
  • Train employees to be aware of their surroundings and to follow procedures
  • Test your employees by hiring an ethical social engineer
SEE ALSO: Social Engineering Training: What Your Employees Should Know

4. Keep your systems up to date 

 There’s a reason vendors release new updates and patches for security vulnerabilities. This is critical for not just your computer, but the applications on the computer, any network hardware/firewalls, and any mobile devices you use. All systems and devices that are on your network need to be updated.

  • Subscribe to vendors’s patch/upgrade list to stay current on the latest security patches
  • Establish a schedule to do security patching on a regular basis
  • Do vulnerability scanning to find security holes
SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1

5. Change passwords regularly

This is a very simple change that offers no cost, and yet is very helpful in keeping your data secure. Many hackers choose the easiest path to find card data. If your network or systems have easy-to-guess or default passwords, you’re practically opening up your business doors to hackers.

Set up policies for your employees and enforce rules to have passwords changed regularly. It’s recommended to change your password at least every 90 days, and to create new passwords that are at least seven characters in length and contain both alphabetic and numerical characters.

  • Make sure employees have unique passwords and usernames
  • Implement a policy where employees change their passwords regularly
  • Change all default passwords and usernames on your network and systems
SEE ALSO: How to Do Passwords Right: Password Management Best Practices

6. Only store card data that’s necessary

Did you know that 61% of users have unencrypted card data on their systems? You should never store unencrypted credit card data on your environment.

A good way to simplify your PCI compliance is limiting how much card data you store. The less data you store, the less time and resources you have to devote to securing that data.


7. Get help from an expert! 

If you have a PCI program with a provider, like SecurityMetrics, use their support!! Talk to somebody about compliance and get help where you’re struggling. In most cases, that’s a free call. Take advantage of your provider’s support team since they can help you with any questions you have about PCI.

If you don’t have a PCI program, there are a number of resources from the PCI Council, and other experts that can help you figure out what your business needs to do to become PCI compliant.

  • If you have a QSA, get help from them year-around
  • Look up security blogs and articles for tips on best security practices
Need help in getting compliant? Let’s see how you’re doing. 

Remember, getting PCI compliant and securing your data is worth the trouble, and it can save your business in the long run.

Zach Walker is the Director of Technical Support at SecurityMetrics and has been with the company for over 6 years. He has worked in the IT/security field for over 10 years, and has A+, Network+, Security+, CISSP, and ASV certifications. He is currently pursuing a bachelor’s degree in IT Security.

What are Service Provider Levels and How Do They Affect PCI Compliance?

Service providers’ PCI requirements can be different, depending on their levels. 

what are service provider levels
If you’re a service provider, you may have some different PCI requirements based on what level you are. PCI requirements for service providers vary based on the volume of annual transactions that you store, process, or transmit.

So what level service provider are you? And how do you find out? Here is some basic information on service providers, their levels, and what PCI requires of them.

SEE ALSO: How do Merchant Levels Determine PCI Compliance?

What is a service provider?

Let’s start by defining what a service provider is. This is a business entity that isn’t a payment brand, and is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services, as well as hosting providers and other entities.

Similar to merchants, service providers have a couple of different levels based on the volume of transactions they handle annually.
Let’s take a look at the different service provider levels.

Level 1 Service Provider

These are service providers that store, process, or transmit more than 300,000 credit card transactions annually.

PCI Requirements
Note: receiving a ROC and validating as a Level 1 Service Provider allows you to be on Visa’s Global Registry of Approved Service Providers. For many organizations, listing with Visa and other card brands is a powerful marketing tool.

Leve 2 Service Provider

These are service providers that store, process, or transmit less than 300,000 credit card transactions annually.
service provider
PCI Requirements
  • Annual Self-Assessment Questionnaire (SAQ) D
  • Quarterly network scan by ASV
  • Penetration Test
  • Internal Scan
  • AOC Form
Note: occasionally, a Level 2 Service Provider will be asked by its partners, clients, integration partners, etc. to validate compliance as a Level 1 with a QSA onsite assessment. Level 2 Service Providers will also sometimes choose to validate as a Level 1 in order to be on Visa’s Global Registry of Approved Service Providers.

Tips to get PCI compliant 

No matter what level of service provider you may be or how many cards you process, you need to make sure you’re protecting your data and you’re compliant with all of your PCI requirements.

Here a few tips to help you get PCI compliant:
  • Talk with a PCI professional: PCI compliance can get a little complex. Talk to a Qualified Security Assessor (QSA) to see what elements of the PCI DSS your business needs to focus on 
  • Understand your PCI scope: create a diagram to track where your card data moves in and out of your network. This will help you determine which areas of your business environment need to be secured  
  • Document everything: having proper documentation with your policies and procedures will help you give proof of PCI compliance and help you stay organized in data security 
Want to know more about getting PCI compliant? Read our SecurityMetrics Guide to PCI DSS Compliance.

SecurityMetrics Guide to PCI DSS Compliance