With so much riding on PCI compliance, network managers are increasingly turning to software to automate specific steps in the compliance process. Automation, if done correctly, helps facilitate the planning, management, review and documentation processes as well as assist with creation, implementation and enforcement of a PCI compliant security policy across the entire network infrastructure.

Network change and control helps demonstrate PCI DSS requirements

The PCI Security Council recognizes that network security is not a destination but a process, and that the ability to reliably control the security of the network is dependent upon the establishment of solid change control processes. Network change policies should be clearly documented, easily accessible to users responsible for daily management of the network, and regularly reviewed and approved by management.

Change processes should include validity checks and management approval for all outgoing changes, and change verification and compliance checks after a change has been made. It’s not enough for an auditor to see that a device has been configured correctly, or even that a set of written procedures exists. To verify that an appropriate change control process is in place, the auditor will want to see evidence that the documented process has been followed on a daily basis.

Beyond describing the change control processes that must be in place, PCI also requires the existence of specific network device configurations such as access-lists and strong encryption. Border routers and firewalls should be configured with explicit access-lists allowing communication only across standard ports which serve a valid business purpose.


Network managers must employ regular password rotation and ensure that no device is ever deployed on the network with vendor-supplied default passwords in place. Any network path that facilitates the transmission of cardholder information must be secured with strong encryption or start to face those aforementioned $5,000 to $25,000 fines.

With 12 chapters and more than 170 individual requirements, planning for compliance with the DSS requirements is a challenge. Automating the change control and configuration process eases the burden of the network manager by providing a structured approach to implementation of the DSS. It should offer advice and best practices documentation in the context of the individual DSS requirements, making it easy for managers to determine which steps need to be taken to ensure compliance with the standard.

Change control processes should be documented and stored so that engineers and managers can access the process documentation on a daily basis. An automated, change control solution can facilitate this, providing the network manager with the ability to include the company’s established policies alongside the individual PCI requirements and vendor best practice documentation.