PCI DSS Requirement 1: Install and Maintain Network Security Controls
Requirement 1 of the Payment Card Industry Data Security Standard (PCI DSS) is to “Install and Maintain Network Security Controls”. It is designed to help merchants protect cardholder data, since this data is inherently valuable and more vulnerable to attack than other data types.
Therefore, organizations must segment this data away from other pieces of information in a system by creating a Cardholder Data Environment (CDE). The CDE provides organizations and assessors with a solid foundation to build the other 11 requirements.
To create a CDE, PCI requires a combination of firewalls and network segmentation to control transmission of cardholder data between an organization’s networks (internal) and untrusted ones (external). In addition, documenting configurations, settings, and policies ensures future compliance for the CDE.
For additional details and specifics of Requirement 1, read on.
For additional details on all 12 of the Requirements, read our PCI DSS Requirements overview.
Requirement 1 Details and Sections
PCI DSS requirement 1 has five total sections: three requirements and testing procedures for PCI DSS v3.2.1, with two more requirements added for PCI DSS v4.0.
The requirement sections are:
- Requirement 1.1: Processes and mechanisms for installing and maintaining network security controls (firewalls) are defined and understood.
- Requirement 1.2: Network security controls (NSCs) are configured and maintained.
- Requirement 1.3: Network access to and from the cardholder data environment is restricted.
- Requirement 1.4 (New to PCI DSS v4.0): Implement segmentation to isolate the CDE from other parts of the network.
- Requirement 1.5 (New to PCI DSS v4.0): Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
Requirement 1.1: Processes and mechanisms for installing and maintaining network security controls are defined and understood.
This section details that merchants must have network security controls (NSCs) - often, in the form of firewalls - in place and configured to only allow authorized traffic to your network and your CDE. This includes traffic from your payment processing systems, as well as traffic from employees and customers.
- Requirement 1.1.2: Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.
- Requirement 1.2.1: Configuration standards for firewall rulesets are defined, implemented, and maintained, including the ability to filter traffic based on IP address, port number, and protocol, and to log all the traffic that passes through it.
Requirement 1.2: Network security controls are configured and maintained.
The NSC (firewall) that routes traffic for the CDE must have rules in place designated to protect the CDE from unauthorized access. These rules must be reviewed and updated regularly to reflect any changes in the business environment, such as new integrations added to the ecosystem or new authorized users added.
Requirement 1.3: Network access to and from the cardholder data environment is restricted.
Requirement 1.3 dictates that the firewall configuration and rules must be monitored and tested regularly for any changes that could impact the security of the CDE.
Defined approach requirements are as follows:
- Requirement 1.3.1: Inbound traffic to the CDE is restricted to only traffic that is necessary; all other traffic is specifically denied.
- Requirement 1.3.2: Outbound traffic from the CDE is restricted to only traffic that is necessary; all other traffic is specifically denied.
- Requirement 1.3.3: Firewalls are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that all traffic from wireless networks is denied by default and only authorized traffic is allowed into the CDE.
Requirement 1.4 (New to PCI DSS v4.0): Network connections between trusted and untrusted networks are controlled.
Requirement 1.4 states that merchants will need to implement a firewall configuration that isolates the cardholder data environment from other parts of their network. While this is simply good business practice, it will also help to protect cardholder data in the event of a breach of other systems.
Defined approach requirements include:
- Requirement 1.4.1: Firewalls are implemented between trusted and untrusted networks.
- Requirement 1.4.2: Inbound traffic from untrusted networks to trusted networks is restricted to communications with system components that are authorized to provide publicly accessible services, or responses to communications initiated by system components in a trusted network; All other traffic is denied.
- Requirement 1.4.3: Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.
- Requirement 1.4.4: System components that store cardholder data are not directly accessible from untrusted networks.
- Requirement 1.4.5: The disclosure of internal IP addresses and routing information is limited to only authorized parties.
Requirement 1.5 (New to PCI DSS v4.0): Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
This new requirement for v4.0 dictates that you will need to configure your firewall to filter traffic based on the level of risk associated with that traffic. The point of this addition is to help to protect your network from malicious traffic.
Defined approach requirements include:
- Requirement 1.5.1: Security controls are implemented on all devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE as follows:
- Specific configuration settings are defined to prevent threats from being introduced into the CDE’s network.
- Security controls are actively running.
- Security controls are not alterable by users unless specifically documented and authorized by management on a case-by-case basis for a limited period.
How Basis Theory can help you satisfy Requirement 1
Securing cardholder data in a CDE satisfies requirement 1 and provides companies greater control and flexibility over their payment stack. However, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Basis Theory provides the platform, infrastructure, and tools to secure cardholder data in minutes and without these costs and distractions.
As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved cardholder data environment to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements of PCI DSS while retaining complete control over their cardholder data.
*PCI DSS Requirement information contained in this post is for educational purposes only and references material from the guide "Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0" published by the PCI SSC in March 2022. Please refer to the PCI Security Standards Council website for the complete, up-to-date, accurate requirements.