PCI DSS Requirement 1.3.2: Limit Inbound Internet Traffic
What’s in PCI Requirement 1.3.2?
PCI Requirement 1.3.2 states, “Limit inbound Internet traffic to IP addresses within the DMZ and examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ.” PCI Requirement 1.3.2 requires that where your organization has established rules based on the list of approved protocols, ports, and services (from Requirement 1.1.6), traffic is stopped within the DMZ and it’s vetted against a set of appropriate rules before it’s allowed to traverse into your cardholder data environment (CDE). This doesn’t necessarily mean that the traffic originating from outside of your environment can’t eventually get into the CDE for some reason, for example, if you needed inbound traffic for processing. The purpose is to limit traffic to that which is necessary, and is authorized.
PCI DSS Requirement 1.3.2
We need to limit the inbound traffic from the Internet into your DMZ. This doesn’t necessarily mean that the traffic originating from outside of your environment can’t eventually get into the CDE for some reason, if you needed inbound traffic for processing or something of that nature. What it effectively means is that where we’ve established rules based on those protocols, ports, and services, we want to make sure that the traffic is stopped somehow within the DMZ and it’s vetted against a set of appropriate rules before it’s allowed to traverse into your Cardholder Data Environment.