Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Many parts of requirement 1 such as your wireless network or router setup do not directly relate to WebSphere Commerce, but the requirements that relate to the site topology are extremely important. We must construct the WebSphere Commerce site so that you never store cardholder data on internet-accessible systems. Additionally, WebSphere Commerce sites should always use firewalls to separate themselves from the internet, internal networks, and any other system that is accessible to the internet. Refer directly to the PCI DSS for details on this requirement.
To meet requirement 1, we must configure WebSphere Commerce in 3 tiers. The Web server
cannot be on the same machine as the cardholder data, as shown in the following diagram:
This configuration is described further in the following topics:
Important network setup notes: While not related directly to WebSphere Commerce, the following requirements from Section 1 are considered critical aspects of network setup:
- Section 1 of the PCI-DSS requires that customers and resellers/integrators use a firewall or a personal firewall product if the computer is connected using VPN or other high-speed connections, in order to secure these "always-on" connections.
- If a wireless network is in place, install a firewall between the wireless network and the cardholder data system as per PCI DSS Requirement 1.2.3:
Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
Next topic: Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Related concepts
WebSphere Commerce and the PCI Data Security Standard