[PCI DSS 1.x] 1.1 Establish firewall and router configuration standards that include the following

pcinetwork · March 18, 2007, 6:40am

1.1 Establish firewall and router configuration standards that include the following:

[ul]
[li] 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations[/li][li] 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks[/li][li]1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone[/li][li] 1.1.4 Description of groups, roles, and responsibilities for logical management of network components[/li][li] 1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure[/li][/ul]

kkshaan · August 5, 2008, 6:14pm

is there any standard configuration for firewall that PCI DSS recommend

tim_holman · August 9, 2008, 11:51am

Pull out all of section 1, put it into a Word document, and structure a policy, procedure and configuration standards that address all points.
A ‘standard’ will be unique for each organisation - it will say ‘our firewall of choice is Cisco PIX (for example) and we set it up like this…’. Just make sure it addresses all points in section 1, otherwise it’s not going to meet the standard

kurtbel · April 19, 2010, 2:48pm

Web Application Firewall Evaluation Criteria Response Matrix

( http://www.webappsec.org )

There you can find an spreadsheet for Firewall verifications

Regards,

Kurt

hunter8br · November 11, 2010, 10:09am

Thanks for the information.Can you please tell me how they control traffic i want the detail information about that

Ritik · March 16, 2011, 6:32am

Requirement 1 PCI DSS

According to Requirement 1 of PCI DSS -
One should Interview network and security operations staff to check for basic security measures that are taken during network setup and subsequent changes.
So what kind of questions should you be asking??

kkiani · March 30, 2011, 6:57am

Can someone explain why system availability a PCI concern? Meaning, if a system becomes unavailable due to a denial of service attack, how can that result in the compromise of card holder data. What are the security threats and attack vectors here?

imran2 · May 5, 2011, 6:30am

Question

we are taking the information of credit card in our website and send it to yourpay or paypal (for processing) does we need to fullfill the requirements of a PCI DSS

TechGuru · May 16, 2011, 10:45pm

At the very least you will probably have to fill out Self-Assessment Questionaire A (SAQ-A) for PCI-DSS. SAQ-A is only 13 questions and much easier to complete than any other PCI compliance requirement.

To qualify for SAQ-A: Your website shopping cart must be linked to PayPal for capturing CC information and the subsequent processing and payment settlement; also you cannot be capturing or storing any credit card authorization data (CC#, Expiry date, CVC) on your webserver