Firewall PCI-DSS Compliance, The Numbers are In…

I recently came across a great study on the state of PCI-DSS compliance conducted by Verizon Business. Unlike much of the baseless chatter circulated by opponents and proponents of the standard, this study is based on roughly 200 real life PCI-DSS assessments conducted by Verizon’s team of Qualified Security Assessors (QSAs).

Naturally, I was most interested in the data for requirement 1- Install and Maintain a Firewall Configuration to Protect Cardholder Data.

And the numbers are in –

• Only 46% of organizations initially satisfied requirement 1 for firewall PCI-DSS Compliance. (Allow me to rephrase the original language of the study – a whopping 54% FAILED to satisfy this requirement)

• The most difficult test as part of the requirement was verifying that firewall rule sets are reviewed at least every six months, along with documenting the business justification for insecure services, ports and protocols.

• There was divergence in how organizations scored on tests around inbound and outbound traffic. Results show that organizations perform reasonably well on restricting inbound traffic but are much more permissive when it comes to outbound rules (i.e. allowing all desktops SSH, FTP, Telnet to ANY). You can check out a great post by our CTO on this subject.

If you ever wished you had instant visibility on the level of your PCI-DSS compliance, complete with what rules are causing you to break compliance, I suggest you take a look at this video demonstration. Of course you could go one step better and make sure that every time you  introduce a change, it does not negatively impact your compliance level. We created our FireFlow product for this very purpose, so you may want to check it out.

You can download the complete PCI-DSS compliance report from the Verizon Business website.