1. Home
  2. Frameworks and Standards
  3. PCI DSS
  4. PCI DSS Requirement – 1.5.1.a
Searching...

PCI DSS Requirement – 1.5.1.a

Defined Approach Requirements

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:
• Specific configuration settings are defined to prevent threats being introduced into the entity’s network.
• Security controls are actively running.
• Security controls are not alterable by users of the computing devices unless specifically documented and authorized by management on a case-by-case basis for a limited period.

Customized Approach Objective

Devices that connect to untrusted environments and also connect to the CDE cannot introduce threats to the entity’s CDE.

Applicability Notes

These security controls may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-by-case
basis. If these security controls need to be disabled for a specific purpose, it must be formally
authorized. Additional security measures may also need to be implemented for the period during which these security controls are not active.
This requirement applies to employee-owned and company-owned computing devices. Systems that cannot be managed by corporate policy introduce weaknesses and provide opportunities that malicious individuals may exploit.

Defined Approach Testing Procedures

1.5.1.a Examine policies and configuration standards and interview personnel to verify security controls for computing devices that connect to both untrusted networks, and the CDE, are implemented in accordance with all elements specified in this requirement.
1.5.1.b Examine configuration settings on computing devices that connect to both untrusted networks and the CDE to verify settings are implemented in accordance with all elements specified in this requirement.

Purpose of requirement and procedures

Computing devices that are allowed to connect to the Internet from outside the corporate environment—for example, desktops, laptops, tablets, smartphones, and other mobile computing devices used by employees—are more vulnerable to Internet-based threats.
Use of security controls such as host-based controls (for example, personal firewall software or end-point protection solutions), network-based security controls (for example, firewalls, network- based heuristics inspection, and malware simulation), or hardware, helps to protect devices from Internet-based attacks, which could use the device to gain access to the organization’s systems and data when the device reconnects to the network.

Good practice

The specific configuration settings are determined by the entity and should be consistent with its network security policies and procedures.
Where there is a legitimate need to temporarily disable security controls on a company-owned or employee-owned device that connects to both an untrusted network and the CDE—for example, to support a specific maintenance activity or investigation of a technical problem—the reason for taking such action is understood and approved by an appropriate management representative. Any disabling or altering of these security
controls, including on administrators’ own devices, is performed by authorized personnel.
It is recognized that administrators have privileges that may allow them to disable security controls
on their own computers, but there should be alerting mechanisms in place when such controls
are disabled and follow up that occurs to ensure processes were followed.
Examples
Practices include forbidding split-tunneling of VPNs for employee-owned or corporate-owned mobile devices and requiring that such devices boot up into a VPN.

Definitions

[No detail is provided here in the PCI DSS 4.0]

 

Note: This sub-requirement requirement falls within the primary PCI DSS Requirement 1: Install and Maintain Network Security Controls and secondary requirement 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated..

What is the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.

While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

What is the PCI SSC

The PCI SSC mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.

The four pillars of our strategic framework include:

  1. Increase industry participation and knowledge in the PCI Standards development process and stakeholder support for standards implementation. This ensures that standards and resources reflect and address industry needs and challenges.
  2. Evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. This ensures standards and resources that support and enable safe commerce and the flexibility to use different approaches to meet those standards.
  3. Secure emerging payment channels via development of PCI Standards and resources to support broader payment acceptance. This enables safe commerce in new and emerging card and card-based payment channels such as mobile and internet-of-things.
  4. Increase standards alignment and consistency of PCI Standards to minimize redundancy and support effective implementation.

PCI DSS certification

PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:

  • Installation of firewalls
  • Encryption of data transmissions
  • Use of anti-virus software

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

You can learn more about the PCI DSS at https://www.pcisecuritystandards.org/

Updated on October 15, 2022
Was this article helpful?
Yes No

Related Articles