PCI DSS: Build and Maintain a Secure Network

Objective # 1: Build and Maintain a Secure Network (covers requirements 1 & 2)

In the first part of the PCI DSS compliance guide, I discussed the very basics and high level overview of PCI DSS. I also talked about the 4 merchant or service provider levels, as well as the process for getting PCI certified. Please keep in mind that these articles are meant to provide you with a short but concise summary of the requirements. It is to the point and not clutter with fillers. We have compiled a list of the top 10 challenges and questions associated with PCI Compliance. Please read this article as it will help you understand what’s currently in place and what needs to be put in place.

In the past, criminals had to access the organization physically to steal financial records. It is no longer the case anymore. Transactions involve credit or debit card are being done using PIN entry devices and computers connected by networks. PCI DSS consists of common sense approach that mimic the security best practices. There are 6 core objectives and 12 requirements. In this follow up article, I will discuss the first core objective of PCI DSS, which is building and maintaining a secure network. The 2 requirements that support this objective are (1) install and maintain firewall and router and (2) do not use vendor supplied default passwords.

First off, what is a router and what is a firewall? A router is a hardware or software that connects traffic between 2 or more networks, while a firewall is a device that controls the passage of traffic between networks and within an internal network.


Now that we get the definition out of the way, let’s talk about the first requirement. Requirement #1 states: Install and maintain a firewall and router configuration to protect cardholder data.

Basically, it’s saying that you must install and configure the router and firewall properly. It is a first line of defense. The configuration must block all unwanted access and only allows authorized access into and out of the network. Verify that the firewalls deny or, if traffic is necessary for business purposes, permit only authorized traffic. Absolutely no direct access is allowed from the internet to any system in the cardholder data environment. Make sure that you have a documented process for approving firewall rule changes and a process for testing or reviewing changes. Firewalls and routers must be clearly documented in the network diagram. The diagram must identify all the network devices. In addition to the network diagram, it is helpful to also have a data flow diagram that shows how the data is traveled.

Requirement #2 says don’t use vendor-supplied defaults for system passwords and other security parameters. The easiest way for a hacker to access your network is to try the default passwords or exploits based on default configuration settings. On many occasions, companies don’t change default passwords or configuration settings upon deployment. Here are a list of typical default passwords that must be changed:

  • [none]
  • [name of product / vendor]
  • 1234 or 4321
  • access
  • admin
  • anonymous
  • database
  • guest
  • manager
  • pass
  • password
  • root
  • sa
  • secret
  • sysadmin
  • user

This concludes the first objective of the PCI DSS compliance requirements 1 and 2. We hope you find this article informative. Please share it with your friends, colleagues, and on all your favorite social sites. Let us know what interests you, and we will write it. Don’t forget to leave a comment.

Leave a Reply