Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Many parts of requirement 1 such as your wireless network or router setup do not directly relate to HCL Commerce, but the requirements that relate to your site topology are extremely important. You must construct your HCL Commerce site so that you never store cardholder data on internet-accessible systems. Additionally, HCL Commerce sites should always use firewalls to separate themselves from the internet, internal networks, and any other system that is accessible to the internet. Refer directly to the PCI DSS for details on this requirement.

To meet requirement 1, you must configure HCL Commerce in 3 tiers. The Web server cannot be on the same machine as the cardholder data, as shown in the following diagram:
HCL Commerce in a 3-tier configuration.
This configuration is described further in the following topics:
Important network setup notes:
While not related directly to HCL Commerce, the following requirements from Section 1 are considered critical aspects of network setup:
  1. Section 1 of the PCI-DSS requires that customers and resellers/integrators use a firewall or a personal firewall product if the computer is connected using VPN or other high-speed connections, in order to secure these "always-on" connections.
  2. If a wireless network is in place, install a firewall between the wireless network and the cardholder data system as per PCI DSS Requirement 1.2.3:

    Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.