PCI Archives

PCI DSS Req 1.3.5: Permit Only Established Connections into the Network

by KirkpatrickPrice / February 7, 2023

PCI DSS Requirement 1.3.5 says to, “Permit only ‘established’ connections into the network.” The testing procedures for this requirement state that your assessor is to examine your firewall and router configurations to verify that only established connections are permitted into the internal network, and any inbound connections not associated with any previously established sessions, be denied. In years past, this configuration setting was called “stateful inspection,” also known as dynamic…

PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic

by KirkpatrickPrice / December 22, 2022

Understanding PCI Requirement 1.3.4 One of the most important things you can do as an organization to harden your environment, is to limit the outbound traffic from your cardholder data environment (CDE), or from your environment that you might consider sensitive, to the Internet. This outbound traffic should be limited only to that which is necessary to support your business. If you do need internet access for business purposes, that…

PCI DSS Requirement 1.3.3: Implement Anti-Spoofing Measures

by KirkpatrickPrice / December 19, 2022

PCI DSS Requirement 1.3.3 requires that organizations, “implement anti-spoofing measures to detect and block forged source IP addresses from entering a network.” Assessors will be looking at your firewall and router configurations to verify that anti-spoofing measures are implemented. There are several types of spoofing attacks, but in general, a spoofing attack is a situation in which “a malicious party impersonates another device or user on a network in order…

PCI DSS Requirement 1.3.2: Limit Inbound Internet Traffic

by KirkpatrickPrice / December 22, 2022

What's in PCI Requirement 1.3.2? PCI Requirement 1.3.2 states, “Limit inbound Internet traffic to IP addresses within the DMZ and examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ.” PCI Requirement 1.3.2 requires that where your organization has established rules based on the list of approved protocols, ports, and services (from Requirement 1.1.6), traffic is stopped within the DMZ and…

PCI DSS Requirement 1.3.1: Establishing a DMZ

by KirkpatrickPrice / December 22, 2022

Understanding PCI Requirement 1.3.1 PCI DSS Requirement 1.3.1 requires that you, as an organization, develop and implement a DMZ, otherwise known as a demilitarized zone. What is the PCI DSS DMZ? The PCI DSS requirements often refer to DMZs, or demilitarized zones. A DMZ is a sub-network that separates the internal network, in this instance your CDE, from all other untrusted sources. The DMZ should be a place where your…

Blog

PCI

PCI DSS Req 1.3.5: Permit Only Established Connections into the Network

PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic

PCI DSS Requirement 1.3.3: Implement Anti-Spoofing Measures

PCI DSS Requirement 1.3.2: Limit Inbound Internet Traffic

PCI DSS Requirement 1.3.1: Establishing a DMZ

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.