by KirkpatrickPrice / December 22, 2022

Examining PCI Requirement 1.5 At the end of each of the PCI DSS v3.2 Requirements, we have what we like to call a “capstone.” At the end of Requirement 1, there is PCI Requirement 1.5. It states, “Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.” PCI Requirement 1.5 is not only saying that your organization needs to maintain…

by KirkpatrickPrice / December 22, 2022

Unpacking PCI Requirement 1.4 PCI Requirement 1.4 states, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.” PCI DSS v3.2 explains that portable computing devices that are allowed to connect to the Internet from outside the corporate firewall are…

by KirkpatrickPrice / December 22, 2022

What is PCI Requirement 1.3.7? The goal of your organization is to make it as difficult as possible for someone to hack into your environment. Disclosing the IP addresses you have within your internal environment are one of the things we, as assessors, look for to help you to achieve that goal. Jeff Wilder discusses PCI DSS Requirement 1.3.7, and not disclosing private IP addresses. PCI Requirement 1.3.7 states, “Do not…

by KirkpatrickPrice / December 22, 2022

What's in PCI Requirement 1.3.6? To meet PCI Requirement 1.3.6, your organization must not store cardholder data within the DMZ. PCI Requirement 1.3.6 states, “Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.” PCI Requirement 1.3.6 also says, “Examine firewall and router configurations to verify that system components that store cardholder data are on an…