- Installing Theatre Manager
- PCI Compliance
- PostgreSQL Database Server
- Theatre Manager Application
- Credit Card Authorization
- Apache Server
- SSL Certificate
- Adjusting Security Settings
- Editing/Upgrading Web Pages
- PCI DSS Cross Reference/Index
Requirement 1: Install and maintain a firewall
Sat, 06/05/2010 - 12:26 — Doug
Install and maintain a firewall and router configuration to protect cardholder data
Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Routers are hardware or software that connects two or more networks.
| Section | PCI Requirement | Comments |
| 1.1 | Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data (including wireless); that use various technical settings for each implementation; and stipulate a review of configuration rule sets at least every six months. | |
| 1.1.1 |
A formal process for approving and testing all network connections and changes to the firewall and router configurations |
|
| 1.1.2 | Current network diagram with all connections to cardholder data, including any wireless networks |
Refer to Recommended Layout and adapt as neccessary |
| 1.1.3 | Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone | |
| 1.1.4 | Description of groups, roles, and responsibilities for logical management of network components | |
| 1.1.5 | Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure | |
| 1.1.6 | Requirement to review firewall and router rule sets at least every six months | |
| 1.2 | Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment. | Firewall rules |
| 1.2.1 | Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. |
|
| 1.2.2 | Secure and synchronize router configuration files. |
|
| 1.2.3 | Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. | refer to venue lan setup |
| 1.3 | Prohibit direct public access between the Internet and any system component in the cardholder data environment. | |
| 1.3.1 | Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment. | |
| 1.3.2 | Limit inbound Internet traffic to IP addresses within the DMZ. | |
| 1.3.3 | Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment. | |
| 1.3.4 | Do not allow internal addresses to pass from the Internet into the DMZ. | |
| 1.3.5 | Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ. | |
| 1.3.6 | Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.) | |
| 1.3.7 | Place the database in an internal network zone, segregated from the DMZ. | |
| 1.3.8 | Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies—for example, port address translation (PAT). | |
| 1.4 | Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet that are used to access the organization's network. | May be required when Updating TM |
