Blog

PCI DSS Requirement 1.4: Install Personal Firewall Software

by KirkpatrickPrice / December 22, 2022

Unpacking PCI Requirement 1.4 PCI Requirement 1.4 states, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.” PCI DSS v3.2 explains that portable computing devices that are allowed to connect to the Internet from outside the corporate firewall are…

PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses

by KirkpatrickPrice / December 22, 2022

What is PCI Requirement 1.3.7? The goal of your organization is to make it as difficult as possible for someone to hack into your environment. Disclosing the IP addresses you have within your internal environment are one of the things we, as assessors, look for to help you to achieve that goal. Jeff Wilder discusses PCI DSS Requirement 1.3.7, and not disclosing private IP addresses. PCI Requirement 1.3.7 states, “Do not…

PCI DSS Requirement 1.3.6: Segregate the CDE from the DMZ

by KirkpatrickPrice / December 22, 2022

What's in PCI Requirement 1.3.6? To meet PCI Requirement 1.3.6, your organization must not store cardholder data within the DMZ. PCI Requirement 1.3.6 states, “Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.” PCI Requirement 1.3.6 also says, “Examine firewall and router configurations to verify that system components that store cardholder data are on an…

PCI DSS Req 1.3.5: Permit Only Established Connections into the Network

by KirkpatrickPrice / February 7, 2023

PCI DSS Requirement 1.3.5 says to, “Permit only ‘established’ connections into the network.” The testing procedures for this requirement state that your assessor is to examine your firewall and router configurations to verify that only established connections are permitted into the internal network, and any inbound connections not associated with any previously established sessions, be denied. In years past, this configuration setting was called “stateful inspection,” also known as dynamic…

PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic

by KirkpatrickPrice / December 22, 2022

Understanding PCI Requirement 1.3.4 One of the most important things you can do as an organization to harden your environment, is to limit the outbound traffic from your cardholder data environment (CDE), or from your environment that you might consider sensitive, to the Internet. This outbound traffic should be limited only to that which is necessary to support your business. If you do need internet access for business purposes, that…

PCI DSS Requirement 1.4: Install Personal Firewall Software

PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses

PCI DSS Requirement 1.3.6: Segregate the CDE from the DMZ

PCI DSS Req 1.3.5: Permit Only Established Connections into the Network

PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.