PCI-Data Security Standards: Securing Your Network

Perhaps the most important factor for a retailer to be PCI-DSS compliant is to implement and maintain a secure business network which properly controls access to, and the security management of, their data and processes. While PCI is concerned with protecting sensitive credit card data, these issues are important for securing any business network.

Firewall Protection and Network Segmentation

In modern computing, Internet access is no longer a luxury but a necessity. It is hard to imagine running a business without having access to the Internet simply for computer system updates, let alone for all the operational benefits of having instant access to the world. Of course, this is a two way street and once a computer is connected to the Internet, the world can potentially see, share or steal your data.

The first line of defense in protecting your network and sensitive customer information from hackers is a firewall which separates your business network from the Internet. As a firewall in a building is designed to prevent structural fire from crossing a physical barrier and causing damage to an adjacent structure, a computer firewall similarly protects one network segment from another. A firewall is designed to permit authorized communications out of a network or network segment while restricting unauthorized inbound traffic. As a firewall in a building has security doors that allow only authorized people use based on assurances that they are properly shut and secure, a computer firewall allows for access in and/or out through “ports” for authorized processes and/or users.

A firewall can be either hardware, software or a combination of both. One common type of firewall is the router, which is a piece of hardware familiar to most of us and a good physical representation of how firewalls protect networks. Even when connecting to the Internet from our homes, most of us have a router that each computer connects to (either wired or wireless) and it, in turn, connects our home or business to the Internet.

Typically, a firewall protects a more trusted network from a less trusted network, such as protecting a trusted business network from networks that have no trust – such as the Internet. But even within a business network, firewalls can be used to segment computers that require higher security from those with less security. When configuring a network for PCI-DSS compliancy, it is most important to segment computers that are processing credit card transactions from other workstations that have broader business needs and do not need to be as secure.

PCI-DSS compliancy requires that computers processing credit cards (Point of Sale workstations) are more restricted than other users in a business network:

• While POS computers can be used to send emails, they should not receive emails. This is pretty logical as many computer viruses are spread through emails.
• Point of Sale workstations should not have open access to the Internet, again for protection from viruses. Of course, they can access secured sites using a secure connection if required for business purposes, such as authorizing credit cards or other secure websites required for approved business use.
• Point of Sale computers should only be used for business-approved purposes and must run PCI-DSS compatible software, including PA-DSS certified software and hardware for anything involved with processing credit card transactions.

Therefore, Point of Sale stations processing bankcards should be separated from the business network on a more secure and more highly trusted network. Using a firewall or router is a very effective and inexpensive way to accomplish this. Whereas the business network can be used to access the Internet and receive emails, the secure Point of Sale network can have a firewall that prohibits this type of traffic.

Approved and Up-to-Date Software

Of course, it is important that every computer on the network is maintained and up-to-date with the latest security updates and patches for the operating system (Windows Updates), Office programs (available through Microsoft Updates), and especially anti-virus and anti-spyware software.

All hardware and software involved with processing credit card transactions must be PA-DSS Certified and all software and hardware must be configured in a secure manner compliant with the PCI-Data Security Standards.

Anti-Virus Protection

Maintaining up-to-date anti-virus and anti-malware software is critical for all PCs on a network. It is important to manage and maintain subscriptions and assure that updates and scans are performed on a regular and routine basis. It is also important to assure, through network rules and company policy, that users don’t disable these protections.

Controlling Rights and Permissions

Having all the right tools in place only works if the entire network is properly configured and maintained. It is important that access to various programs and especially sensitive data only be made available to users and workstations based on their need. Implementing secure and complex passwords for the operating system and all software is an important first step, but it is just as important to make sure that unauthorized software isn’t installed or access isn’t granted where it shouldn’t be. You may have all the right passwords and security setup within an application, but if a savvy user gets access to the database though a backdoor utility, you may not be as well-protected as you think. File and database access needs to be managed and granted based on the needs of each user or user type.

It is important that all security policies be applied and maintained consistently across the network. When only a few computers are being used they can be maintained individually. Utilizing a domain server and server management tools like Active Directory, Organization Units and Group Policies can save time and provide for consistent and well-controlled security policies when many computers and/or users are involved.