PCI Certificate

PCI Certificate

PCI DSS & Network Devices

January 14, 2014 PCI Compliance No Comments

PCI DSS requirements say many things about network security to make the card holder data safe and protected when it is stored, transmitted & processed. How we can achieve the maximum level of security through network devices? PCI DSS requirement talk about installation and maintenance of infrastructure devices like firewalls, IPS, routers, switches, etc. How we are going to make them secure?

We will start with access control. We have to prevent unauthorized access to the scope through these devices. There should be strict policies and procedures to access these devices and data processing facilities. A two factor authentication is an ideal solution to to access these devices. Stricter procedures should be implemented to access the data processing facilities (Physical access to the devices). All the default passwords should be replaced with memorable and non-guessable strong passwords in the operational environment.  Access to this equipment should be restricted only to authorized person with unique user id so that the tracking is possible. Apart from this, access to console port and configuration ports must be restricted and controlled. All the unnecessary ports and protocols should be disabled. Also remote access to these devices should be encrypted and enable filtering on gateways.

Implement strict policies and procedures for the configuration changes and management. As the time passes we may require changes to the configuration of these devices for short term & permanent. The change request should contain the need for temporary changes and the duration the change needs to exist. After the requirement, the device should be brought back to the original configuration and must be reported to concerned authorities. Always vigilant during this time so that the bad guys exploit these changes  to access the card holder data or interrupt the operations. Always adhere to the standards to harden these devices (NIST / IEEE).  Keep up to date with latest patches released by vendors. Experiment them in the lab environment and bring them to operational environment as early as possible, maximum within one month.

As we know, PCI is very sensitive and critical industry. Even a single minute mistake can take a financial institution to bankrupt and a nation in to financial crisis, we have to keep us vigilant always to make things safer and protected. Hope we can have better sleep by taking all these but not limited to these measures. Whenever we have a new idea to make things better, experiment it, make it fool proof, and implement it for a safer tomorrow.

Who should be PCI Compliant

How to be PCI compliant - small merchants

Leave a Reply Cancel reply

Recent Posts

  • PCI Compliant Hosting
  • Best Practices to Minimise PCI DSS Exposure
  • How to achieve PCI DSS Compliance
  • PCI DSS File Integrity Monitoring
  • Firewall for PCI Compliance

Recent Comments

    Archives

    • October 2015
    • September 2015
    • June 2015
    • April 2015
    • December 2014
    • October 2014
    • April 2014
    • March 2014
    • January 2014
    • December 2013
    • January 2013

    Categories

    • OpenSource tools PCI Compliance
    • PCI Compliance
    • PCI Policies
    • PCI Segmentation

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Proudly powered by WordPress | Theme: Doo by ThemeVS.