PCI DSS Compliance: How IBM i Answers PCI DSS Requirements for Firewalls & Routers
Per the Payment Card Industry (PCI) Data Security Standard (DSS) issued by the PCI Security Standards Council (PCI SSC), any organization that stores, processes, or transmits cardholder data must meet the 12 requirements of the PCI DSS standard. PCI DSS compliance is required for any IBM i partition that either 1) stores, processes, or transmits credit card data; or 2) resides on the same network and subnet as the machines that store, process, or transmit credit card data. Failure to comply with the standard can result in hefty legal penalties and fines.
This post is part of an ongoing series describing how an IBM i partition can meet PCI DSS requirements, with each post covering one set of requirements. This week, let’s look at PCI DSS requirement 1, which discusses compliance activities for firewalls and routers in a cardholder data environment.
PCI DSS: where 12 requirements meet six goals
There are 12 requirements that must be met to achieve PCI DSS compliance. Your IBM i partitions must be in compliance for any requirement that is applicable to a cardholder data environment. Shown in table 1, each requirement is designed to meet one of six specific PCI DSS goals.
Table 1: The twelve PCI DSS requirements and the goals they are designed to meet[1]
| PCI DSS Goal | Requirements |
| Build and maintain a secure network and systems |
Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters
|
| Protect cardholder data |
Protect stored cardholder data Encrypt transmission of cardholder data across public networks
|
| Maintain a vulnerability management program |
Protect all systems against malware and regularly update anti-virus software or programs Develop and maintain secure systems and applications
|
| Implement strong access control measures |
Restrict access to cardholder data by business need to know Identify and authenticate access to system components Restrict physical access to cardholder data
|
| Regularly monitor and test networks |
Track and monitor all access to network resources and cardholder data Regularly test security systems and processes
|
| Maintain an information security policy |
Maintain a policy that addresses information security for all personnel
|
What is a cardholder data environment (CDE)?
According to the PCI Security Standards Council, a cardholder data environment consists of “The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data”. This means compliance activities must cover both electronic and personnel issues in your organization, depending on the requirement being evaluated.
What the PCI DSS standard says about firewall protection and routing
PCS DSS requirement 1 specifies that organizations must “Install and maintain a firewall configuration to protect cardholder data.” Note that requirement 1 covers both firewalls and any routing equipment that connects two or more networks, even though it doesn’t explicitly mention routers in the requirement 1 listed in table 1.
So what does this mean for an IBM i system? Here are some CDE activities that may be covered under requirement 1 for an IBM i partition.
- Your IBM i uses a third-party firewall such as SEA’s iSecurity Firewall product, through which users enter the subnet where cardholder processing is occurring.
- An IBM i partition hosts a green-screen, Web. or mobile front-end for credit card processing. The customer enters cardholder data in an IBM i application interface and then passes that data to another machine for processing, performing a transmission function.
- Any other situations involving using the IBM i as a firewall or a router in a CDE
Other PCI DSS requirements cover storing and processing cardholder data, but requirement 1 only deals with firewalls and routers in the PCI DSS environment.
What requirements do I need to meet for requirement 1 compliance?
From the PCI DSS Quick Reference Guide v3.2 , here are the five sub-requirements (requirements 1.1 through 1.5) that must be satisfied for PCI DSS requirement 1 compliance in your CDE. Check out the PCI DSS requirements for more specific definitions of these requirements.
Requirement 1.1 specifies you must have the following:
- Firewall and router configuration standards that formalize your testing procedures whenever there is a configuration change. There is a formal process for making changes.
- Documentation and diagrams identifying connections between cardholder data and other networks (including wireless networks), as well as cardholder data flows across systems and networks
- Business justifications and various technical settings for your firewall and router configurations
- Documentation that you review your firewall and router configuration rule sets at least every six months
For the IBM i, requirement 1.1 generally involves creating and storing reports that document your firewall and router configurations for documentation and rule set review, so be sure any third-party IBM i firewall product you use has these documentation capabilities.
If your IBM i is routing cardholder data to other subnets or machines, you may also need to generate reports showing your routing table setup.
Requirement 1.2 specifies that you “Build firewall and router configurations that restrict all traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment.”
On an IBM i handling cardholder data traffic, this can be trickier as the standard seems to suggest that non-cardholder data traffic cannot be routed on a CDE partition. This requirement may be satisfied by creating a small, isolated partition that only deals with your providing access and routing cardholder traffic. Consult with PCI DSS Qualified Security Assessor (QSA) for more specific information on this need.
Requirement 1.3 instructs you to “Prohibit direct public access between the Internet and any system component in the cardholder data environment”. This is a no-brainer as you should never place an IBM i partition dealing with sensitive cardholder data directly on the Internet. Rather, your IBM i CDE firewall or routing partition should at least be in the DMZ or securely located inside a protected network.
Requirement 1.4 deals with installing personal firewall software on any mobile or employee-owned devices connecting to your network through the Internet, which has nothing to do with using an IBM i partition as a firewall or for routing traffic.
Requirement 1.5 requires that any related security policies and operational procedures for accessing your network are documented, in use, and known to all affected parties. This is where any documentation that comes with a third-party IBM i firewall product can come in handy.
PCI DSS isn’t the only set of requirements
This information provides a broad overview of the requirement 1 and can help with PCI DSS compliance. But be aware there may be more requirements you need to meet. Individual payment card brands have their own programs concerning compliance, validation procedures, and standard enforcement. The banks that perform your credit card processing may also have additional standards you’ll be required to meet.
There are also additional standards for the management of devices for protecting cardholder PINs and performing other payment processing activities (PIN Transaction Security requirements, PTS), for developing cardholder payment applications (Payment Application Data Security Standard, PA-DSS), and other standards for encryption, security, and more. PCI SSC provides a document library where you can download all the security standards at
https://www.pcisecuritystandards.org/documentlibrary.
Use this post as a starting point for determining your PCI DSS needs, and take advantage of other PCI SSC tools for other resources, including access to Qualified Security Assessors (QSAs) for assessing PCI DSS compliance and Self-Assessment Questionnaires (SAQs), if you’re able to self-assess your own PCI DSS compliance.
[1] “PCI DSS Quick Reference Guide, Understanding the Payment Card Industry Data Security Standard version 3.2”, PCI Security Standards Council, May 2016, https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf?agreement=true&time=1492652938189
