PCI DSS Requirement 1

Install and maintain a firewall configuration to protect cardholder data
PCI DSS Requirement
1.1 Establish firewall and router configuration standards.
1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment."
1.3.1 Restricting inbound Internet traffic to internet protocol (IP) addresses within the DMZ (ingress filters)
1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ
1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only established" connections are allowed into the network)"
1.3.4 Perimeter Security
1.3.5 – 1.3.9 Specific firewall related requirements
1.4 Prohibit direct public access between external networks and any system component that stores cardholder data.
1.4.1 Implement a DMZ to filter and screen all traffic to prohibit direct routes for inbound and outbound Internet traffic
1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ
1.5 Implement IP address masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT)

Network Segmentation

Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce:

  • The scope of the PCI DSS assessment
  • The cost of the PCI DSS assessment
  • The cost and difficulty of implementing and maintaining PCI DSS controls
  • The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)

Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.

An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the storage, processing or transmission of cardholder data. Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices.

Documenting cardholder data flows via a dataflow diagram helps fully understand all cardholder data flows and ensures that any network segmentation is effective at isolating the cardholder data environment.

If network segmentation is in place and being used to reduce the scope of the PCI DSS assessment, the assessor must verify that the segmentation is adequate to reduce the scope of the assessment. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network’s configuration, the technologies deployed, and other controls that may be implemented.

Appendix D: Segmentation and Sampling of Business Facilities/System Components provides more information on the effect of network segmentation and sampling on the scope of a PCI DSS assessment.