Blog

PCI DSS Requirement 1.5: Ensure Security Policies are Known to all Affected Parties

by KirkpatrickPrice / December 22, 2022

Examining PCI Requirement 1.5 At the end of each of the PCI DSS v3.2 Requirements, we have what we like to call a “capstone.” At the end of Requirement 1, there is PCI Requirement 1.5. It states, “Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.” PCI Requirement 1.5 is not only saying that your organization needs to maintain…

PCI DSS Requirement 1.4: Install Personal Firewall Software

by KirkpatrickPrice / December 22, 2022

Unpacking PCI Requirement 1.4 PCI Requirement 1.4 states, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.” PCI DSS v3.2 explains that portable computing devices that are allowed to connect to the Internet from outside the corporate firewall are…

PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses

by KirkpatrickPrice / December 22, 2022

What is PCI Requirement 1.3.7? The goal of your organization is to make it as difficult as possible for someone to hack into your environment. Disclosing the IP addresses you have within your internal environment are one of the things we, as assessors, look for to help you to achieve that goal. Jeff Wilder discusses PCI DSS Requirement 1.3.7, and not disclosing private IP addresses. PCI Requirement 1.3.7 states, “Do not…

PCI DSS Requirement 1.3.6: Segregate the CDE from the DMZ

by KirkpatrickPrice / December 22, 2022

What's in PCI Requirement 1.3.6? To meet PCI Requirement 1.3.6, your organization must not store cardholder data within the DMZ. PCI Requirement 1.3.6 states, “Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.” PCI Requirement 1.3.6 also says, “Examine firewall and router configurations to verify that system components that store cardholder data are on an…

PCI DSS Req 1.3.5: Permit Only Established Connections into the Network

by KirkpatrickPrice / February 7, 2023

PCI DSS Requirement 1.3.5 says to, “Permit only ‘established’ connections into the network.” The testing procedures for this requirement state that your assessor is to examine your firewall and router configurations to verify that only established connections are permitted into the internal network, and any inbound connections not associated with any previously established sessions, be denied. In years past, this configuration setting was called “stateful inspection,” also known as dynamic…

PCI DSS Requirement 1.5: Ensure Security Policies are Known to all Affected Parties

PCI DSS Requirement 1.4: Install Personal Firewall Software

PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses

PCI DSS Requirement 1.3.6: Segregate the CDE from the DMZ

PCI DSS Req 1.3.5: Permit Only Established Connections into the Network

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.