Configuring FortiGate units for PCI DSS compliance
This chapter provides information about configuring your network and FortiGate unit to help you comply with PCI DSS requirements. There is also some description of other Fortinet products that can help you with PCI DSS compliance.
Introduction to PCI DSS
The primary source of information for your PCI DSS compliance program is the Payment Card Industry (PCI) Data Security Standard itself. Version 3.1 of the standard was published in April 2015. The following is a brief summary of PCI DSS.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) sets data handling requirements for organizations that hold, process, or exchange cardholder information.
What is the Cardholder Data Environment
Throughout the PCI DSS requirements, there are references to the Cardholder Data Environment (CDE). The CDE is the computer environment wherein cardholder data is transferred, processed, or stored, and any networks or devices directly connected to that environment.
PCI DSS objectives and requirements
PCI DSS consists of 7 control objectives and 12 requirements.
PCI DSS Control Objectives and Requirements
| Control Objective | Requirement | Fortinet Solution |
|
Build and Maintain a Secure |
1. Install and maintain a firewall |
FortiGate firewall functionality. |
| Network and Systems | configuration to protect cardholder data | See Security policies for the CDE
network on page 803 |
|
2. Do not use vendor – supplied |
FortiDB vulnerability assessment |
|
| defaults for system passwords and | and auditing | |
| other security parameters |
FortiWeb web application |
|
| password checking | ||
|
See Password complexity and |
||
| change requirements on page | ||
| 809 | ||
| Control Objective Requirement Fortinet Solution | |
|
Protect Cardholder Data |
3. Protect stored cardholder data FortiDB vulnerability assessment and monitoring
FortiWeb web application firewall
See Protecting stored cardholder data on page 806 |
|
4. Encrypt transmission of FortiGate IPsec VPN. See cardholder data across open, Protecting communicated public networks cardholder data on page 806 |
|
|
Maintain a Vulnerability Management Program |
5. Protect all systems against FortiGate integrated AV malware and regularly update antivirus software or programs FortiClient integrated AV FortiMobile integrated AV FortiMail integrated AV FortiGuard automated AV updates
See Protecting the CDE network from viruses on page 807 |
|
6. Develop and maintain secure FortiDB vulnerability assessment, systems and applications auditing and monitoring
FortiWeb web application security
FortiGate Application Control |
|
|
Implement Strong Access Control Measures |
7. Restrict access to cardholder FortiDB vulnerability assessment, data by business need-to-know auditing and monitoring.
See Restricting access to cardholder data on page 809 |
|
8. Identify and authenticate access FortiGate integrated database or to system components hooks to Active Directory. See Controlling access to the CDE network on page 809 |
|
|
9. Restrict physical access to Fortinet professional services in cardholder data partnership with partner solutions |
|
| Control Objective | Requirement | Fortinet Solution |
|
Regularly Monitor and Test |
10. Track and monitor all access to |
FortiDB auditing and monitoring |
| Networks | network resources and cardholder data |
FortiAnalyzer event reporting |
|
See Monitoring the network for |
||
| vulnerabilities. | ||
|
11. Regularly test security systems |
FortiDB vulnerability assessment |
|
| and processes |
See Monitoring the network for |
|
| vulnerabilities. | ||
|
Maintain an Information |
12. Maintain a policy that |
FortiManager security policy |
| Security Policy | addresses information security for | management appliance |
| all personnel |
This chapter describes how the FortiGate’s features can help your organization to be compliant with PCI DSS. Requirements that the FortiGate cannot enforce need to be met through organization policies with some means determined for auditing compliance.
Be sure to read the following wireless guidelines. Even if your organization does not use wireless networking, PCI DSS requires you to verify periodically that wireless networking has not been introduced into the CDE.
Wireless guidelines
While wired networks usually connect fixed known workstations, wireless networks are more dynamic, introducing a different set of security concerns.
Even if your organization does not use wireless networking, PCI DSS requires you to verify periodically that unauthorized wireless networking has not been introduced into the CDE. Wireless networking could be introduced quite casually by adding a wireless device to a PC on the CDE network.
For all PCI DSS networks, whether they use wireless technology or not, the following requirement applies:
- Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use. (11.1)
If your organization uses wireless networking outside the CDE network and the firewall prevents communication with the CDE network, the wireless network is outside the PCI DSS scope, but the firewall configuration must meet PCI DSS requirements.
If your organization uses wireless networking inside the CDE network, the wireless network is within the PCI DSS
scope. For information about wireless network requirements, see Wireless network security on page 804.