TABLE OF CONTENTS
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Theft of financial records required previously that the criminals have physical access, but these days everything is connected by networks. Criminals in the modern times can access payment system networks remotely. Ensuring that proper security is set up will ensure protections.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- What is a firewall?
- These are devices that control computer traffic that is allowed into and out of an organizations network.
- What is involved in settings up this requirement?
- Establish and implement firewall and router configuration standards that formalize testing when changes are made.
- Build firewall and router configurations that restrict all traffic from "untrusted" networks and hosts.
- Deny all traffic that does not involve the protocols for card holder data environment.
- Prohibit direct public access between the Internet and system components linked to the cardholder data environment.
- Install personal firewall software or equivalent functionality on all devices (company and/or employee owned) that will connect to outside networks.
- Example: employee laptops
- Ensure that related security policies and operational procedures are documented, in use, and known to all affect parties.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
- Why is this important?
- The easiest way for a hacker to access systems is to try default passwords and/or exploits on the default system software within the payment card infrastructure. This is similar to leaving your business doors unlocked when going home for the night. Default passwords and settings are widely known due to the documentation for these are available from the manufacturers. Combining this knowledge with hacker tools will create opportunities for hackers to easily compromise a system
- What is involved in setting up this requirement?
- Always change all vendor -supplied defaults and remove or disable unnecessary default accounts before the installation of any system on the network.
- Develop configuration standards for all system components that address all known security vulnerabilities and are consistent with industry-accepted definitions.
- Using strong cryptography, encrypt all non-console administrative access.
- Maintain an inventory of system components that are in scope for PCS DSS.
- Ensure that related security polities and operation procedures are documented.
- Shared hosting providers must protect each entity's hosted environments and customer data.
Additional Resources and Help!
Still have questions? Please contact us any time at support@ezsoftpos.com.
NOTE: If emailing, please include your business name in the subject line of the email
and provide your preferred contact information for the best response time.
Visit our help center Help Center for more guides and tutorials