1-877-297-7816
Contact Sales

Requirement 1: Install and maintain network security controls

Please provide the information below to view the online Verizon Payment Security Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

  • This requirement covers the correct use of security controls, such as firewalls and related components, to filter and monitor traffic as it passes between internal and external networks, as well as traffic to and from sensitive areas within the organization’s internal networks.

  • Figure 6. Global state of PCI DSS compliance: Requirement 1

  • Full compliance: On average, only 78.0% of organizations across the globe maintained compliance with Requirement 1. The percentage of organizations that kept all controls in place increased by 9.2 pp. Overall, Requirement 1 ranked sixth in terms of full compliance.

    Control gap: The control gap narrowed from 7.4% to 5.1%. This is a much-needed moderate compliance performance improvement. This is the lowest control gap measured by Verizon in over five years (see page 68 of the 2020 PSR for comparative long-term trends).

    Compensating controls: The use of compensating controls remains almost unchanged, at 1.7%. It continues the long-term trend, with few organizations needing to apply a compensating control to meet this requirement, since 2018.

  • The table below presents the state of PCI DSS v3.2.1 compliance per base control for all organizations across the global dataset.

    Full compliance measures the percentage of organizations that achieve 100% compliance on a particular base control. It’s determined by calculating the total number of organizations included in the dataset divided by the number of organizations that achieved full compliance—for a particular requirement.

    Control gap measures the percentage of controls that were found not in place and needed to be remediated, when checked during an interim compliance validation assessment in 2020. It’s determined by calculating the total number of controls assessed for all the related test procedures under a particular control, divided by the controls and test procedures that failed.

    Control 1.5 remains the best performing control in terms of full compliance, scoring 96.5%. Most organizations continue to struggle to keep Control 1.1 – Implement firewall and router configurations – in place. Despite a good improvement (-3.2 pp), Control 1.1 still has the highest control gap, at 6.5%.

    • Note: It is purely coincidental that the ranking of full compliance from 5 to 1 for this requirement is in sequential order.

  • 2022 Payment Security Report

  • Figure 7. Requirement 1 control performance

    • A tip on sustainable control effectiveness

      Firewalls are a first line of network and application system defense, helping to ensure that strict control over configurations is maintained. To improve firewall effectiveness and sustainability, and prevent controls from falling out of compliance, organizations should automate the maintenance of their system and configuration management and integrate it with change control support systems. The effectiveness of this requirement strongly depends on other requirements, such as Requirement 10. The logs and alerts generated by firewalls and intrusion detection and prevention systems (IDS/IPS) require special attention.

  • Requirement 1: Install and maintain network security controls

    The goal

    The goal of PCI DSS Key Requirement 1 is to maintain reliable and sustainable operation and management of network security controls across the in-scope environment, delivering consistent and effective network and application access control to and from the CDE by restricting access to authorized users and systems only, and to support ongoing monitoring and detection of security events and response to incidents.

    This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.

    Goal applicability and scope considerations

    This goal applies to all people (internal and external) involved in the evaluation, implementation, operation and management of any in-scope network security component, i.e., all logical (IT) and physical security control components required to restrict network access to and from the CDE.

    Goal requirements:

    Some of the primary conditions necessary to achieve the goal
    • Capacity: Maintain the capacity needed for qualified security administrators to proactively and correctly configure, monitor and maintain the security controls in accordance with the intent of the related PCI DSS control objectives
    • Competence: Maintain the competency to evaluate, install and maintain all network security controls across the in-scope environment in an effective, reliable and sustainable manner
    • Capability: Test and measure the consistency and effectiveness of the ongoing restriction of network access to and from the CDE, to limit access to authorized users and systems only, to support monitoring and detection of security events and response to incidents (the team capability)
    • Technology: Maintain modern, up-to-date hardware and software components, and replace outdated technologies across the control environment; automation of change control
    • Documentation and processes: Maintain effective standard operating procedures, with clearly articulated standards, roles and responsibilities. Regularly train and educate staff on how to follow the documented procedures. Frequent internal monitoring and reporting of adherence to standards and procedures

    Strong dependencies and integration with other key requirements
    • Requirement 10: Logging and monitoring of network security control components
    • Requirement 2: Secure configuration of network security controls
    • Requirement 6: Hardening of network security components
    • Requirement 11: Testing of network security components

    Short-term objectives
    • Scope: Install and maintain access control equipment that covers the entire CDE in accordance with documented standards and procedures. Validate the sufficiency (accuracy and completeness) of the scope
    • Update: Replace or update IT components that lack the functionality and capability to provide effective network security control
    • Change control: Enhance automation of configuration deployment and change control management

    Long-term objectives
    • Improve: Improve and refine configurations and support processes, integration, documentation and training
    • Maturity: Achieve and maintain high-capability maturity and performance on all security control operations, with low deviation from configuration standards and high capability for the rapid detection and correction of configuration deviations across the CDE

    Common constraints
    • Capacity: Insufficient capacity of security control administration personnel to manage security component deployment, configuration, monitoring and maintenance tasks with sufficient performance
    • Cost: Lack of budget to update outdated technology and/or increase staff capacity
    • Competency: Lack of staff qualified to configure, operate and manage network security components

    • Note: The GRC2 template sample in the table above is explained on page 86 of this report.