Main Firewall

A router (with DMZ and VLAN capability) and two subnets are required within the office to implement PCI compliance. These can be reasonably priced such as the GUI configurable Cisco/Linksys RV082 VPN Firewall (approx $260 in 2010 prices) or more if you want more features. Please check www.techsoup.com if you are a not for profit organization as they have full cisco routers that you may be eligible to purchase at a discount.

We do not recommend a router/firewall without at least DMZ capability if you are doing web sales. However, it is possible to implement full PCI compliance with two routers. Please refer to the Apache Server section for more information.

Your firewall need to restrict connections between untrusted networks and any system components in the card holder environment (PCI requirement 1.2). Routers be a dedicated device, preferably a hardware router. If it is a software router such as one built on linux, then it must only be used only for this purpose and contain no other services. It should be configured to shut down all incoming and outgoing ports except those required for business as per follows.