IT-6 Standard for Configuration of Routers and Firewalls on Networks Processing Cardholder Data
In this article
This document establishes a formal standard for installation and configuration of firewalls and routers within Cardholder Data Environments and outlines the related requirements specified in the Payment Card Industry Data Security Standards (PCI DSS) that must be implemented into all UMD network infrastructures that are processing cardholder data.
The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirement 1.
This standard applies to all UMD IT elements that are attached to a Cardholder Data Environment network. All systems processing cardholder data full Primary Account Number or full PAN plus any of the following: Cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number must only be connected to a designated CDE network.
It is critical to design and maintain a secure network infrastructure where cardholder data can be processed and stored. The requirements in this standard cover the configuration of the routers and firewalls used to protect the CDE.
- Establish firewall and router configurations to protect Cardholder Data Environments such that:
- All changes to firewall or network configurations are formally documented and retained for future examination;
- For each CDE, there must be a network diagram documenting the systems and devices that are attached to that network;
- Create a data-flow diagram that shows all cardholder data movement across systems and networks. Involve card processing personnel. Update as needed based upon changes in systems or processes;
- There must be firewalls in place at the boundaries of the CDE and between DMZ and untrusted networks (i.e. non CDE networks). Document groups, roles, and responsibilities for management of network components;
- Configure firewalls to block access to all systems and system ports except for those identified in the data-flow diagrams. The justification for each exception must be documented;
- The rule sets for firewalls and routers must be reviewed at least every six months. Document each review.
- Examine and document firewall and router configurations and to ensure the following:
- Verify that the configurations identify inbound and outbound traffic necessary for the cardholder data environment;
- Verify that the configurations are secured from unauthorized access;
- Verify that running and stored configurations are synchronized;
- Verify that there are perimeter firewalls installed between all wireless networks and the cardholder data environment.
- Examine firewall and router configurations and perform the following to ensure that there is no direct access between the Internet and system components in the cardholder data environments:
- A DMZ must be implemented to limit inbound traffic to only system components that provide authorized publically accessible services, protocols, and ports;
- Verify that inbound Internet traffic is limited to IP addresses within the DMZ;
- Verify that anti-spoofing measures are implemented, for example internal addresses cannot pass from the Internet into the DMZ;
- Verify that outbound traffic from the cardholder data environment to the Internet is explicitly prohibited;
- Verify that firewalls permit only established connections into the CDE;
- Verify that cardholder data is not stored within the DMZ (which is external to the CDE);
- Verify that private IP addresses and routing information are not exposed to unauthorized parties.
- Install personal firewall software on all portable devices that connect to the Internet when outside the network (for example, laptops used by employees) that are also used to access CDE. End-users cannot alter the configuration of the firewall.
- Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.