Build and Maintain a Secure Network

In the past, theft of financial records required a criminal to physically enter an organization’s business site. Now, many payment card transactions (such as debit in the U.S. and “chip and pin” in Europe) use PIN entry devices and computers connected by networks. By using network security controls, organizations can prevent criminals from virtually accessing payment system networks and stealing cardholder data.

Requirement 1: Install and maintain a firewall

Install and maintain a firewall and router configuration to protect cardholder data

Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network.

A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1.

Section PCI Requirement Comments Provided by Artsman Cloud
1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data (including wireless); that use various technical settings for each implementation; and stipulate a review of configuration rule sets at least every six months. You will need a hardware router to protect your network.

However, if you need to set up firewalls on computers themselves, the built in firewall on windows is very flexible. On OSX, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the OSX PF firewall.

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks Refer to Recommended Network Diagram and adapt as neccessary N/A
1.1.3 Current diagram that shows all cardholder data flows across systems and networks Refer to cardholder flow N/A
1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone Refer to NGINX Server setup to describe DMZ with one or two router situation. SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.1.5 Description of groups, roles, and responsibilities for logical management of network components   YES
1.1.6 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure

Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.

Refer to Firewall rules for purpose of ports that are open. YES
1.1.7 Requirement to review firewall and router rule sets at least every six months   YES
1.2 Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment.

Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

Refer to Firewall rules to see the ports to open. YES
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.   YES
1.2.2 Secure and synchronize router configuration files.   YES
1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. refer to venue lan setup. Wireless is not to be used in the Theatre Manager LAN segment and should be setup carefully on another separate, isolated VLAN SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.   YES
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports   YES
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.   YES
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3.4 Implement anti-spoofing measures to detect and block forged source IP address from entering the network.

(For example, block traffic originating from the internet with internal source addresses).

Use commercial grade firewall YES
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. Implement specific permissions as per the firewall rules SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.) Use commercial grade firewall YES
1.3.7 Place the components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. This is generally interpreted to mean:
  • The web server should be on its own machine or VM so that it can, in effect, be sacrificed if hacked. It should have really tight firewall rules managing traffic into the device and out to ONLY the web lsitener on specific ports
  • The database and web listeners could be on the same machine as long as access to each is carefully managed with appropriate firewall rules and they are not exposed to traffic from the the main firewall appliance directly
1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.

Note: Methods to obscure IP addressing may include, but are not limited to:

  • Network Address Translation (NAT)
  • Placing servers containing cardholder data behind proxy servers/firewalls or content caches
  • Removal or filtering of route advertisements for private networks that employ registered addressing
  • Internal use of RFC1918 address space instead of registered addresses.
1.4 Install personal firewall software on any mobile and/or employee-owned computers that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the organization's network.

Firewall configurations include:

  • Specific configuration settings are defined for personal firewall software
  • Personal firewall software is actively running
  • Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
These days, alll computers have one - it just needs enabled. SPLIT
  • Artsman: YES
  • Customer: Enable Firewall on Workstations
1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.   YES

Requirement 2: Change Vendor Passwords

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

The easiest way for hackers to access your internal network is to try default passwords or exploits based on default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings when they deploy the software. This is the same as leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices are widely known. This information, combined with hacker tools showing them what devices are on your network, can make unauthorized entry a simple task – if you have failed to change the defaults.

Section PCI Requirement Comments Provided by Artsman Cloud
2.1 Always change vendor-supplied defaults and remove or disable unneccessary default accounts before installing a system on the network

This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocl (SNMP), community strings, etc.

Change the Master User password when setting up the system.

Change any other vendor supplied passwords as described.

2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Theatre Manager does NOT needs wifi for operation. Refer to venue lan setup for network diagram and what to do when placing wireless devices is a separate VLAN NO
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted hardening standards.

Sources of industry-accepted system hardening standards may include, but are not limited to:

Arts Management regularly reviews industry information and implements the latest components and security patches in installers as soon as possible. SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. For example, web servers, database servers and DNS servers should be on separate servers.

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

Refer to Network Diagram for components. Also, refer to postgres setup on windows servers YES
2.2.2 Enable only necessary and secure services, protocols, daemons, etc., as required for the function of the system. refer to Disable SNMP service on Practical Automation Ticket Printers SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations

Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, TLS, or IPSec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.

Note: SSL, TLS 1.0 and TLS 1.1 are not considered strong cryptography and cannot be used as a security control after June 30, 2016.

Effective immediately, new implementations must use TLS 1.2 or later.

POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS may continue using these as a security control after June 30, 2016.

The NGINX Server config disables all SSL protocols and enables only TLS 1.2

Theatre Manager will connect to service providers using the latest TLS that they support and have been verified to connect via TLS 1.2 when available.

2.2.4 Configure system security parameters to prevent misuse   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
2.3 Encrypt all non-console administrative access such as browser/web-based management tools. Use technologies such as SSH, VPN, or TLS for web-based management and other non-console administrative access. Theatre manager does not provide or require web based management tools

We suggest that customer use RDC, Teamviewer or equivalent internally for remote access management.

and that strong security be implemented similar to the password requirements for PCI compliance and use of SSH or VPN's for conection
2.4 Maintain an inventory of system components that are in scope for PCI DSS For Theatre Manager, this includes You may need to include other point of sale terminals that you obtained from your bank. N/A
2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.   NO
2.6 Shared hosting providers must protect each entity's hosted environment and cardholder data. These providers must meed specific requirements as detailed in Appendix A: "Additional PCI DSS Requirements for Shared Hosting Providers." Not Applicable. Theatre Manager is not typically installed in a shared environment. N/A