What is PCI Requirement 1.2.3?
Requirement 1.2.3 requires that organizations, “Install perimeter firewalls between all wireless networks and the Cardholder Data Environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.” So, what exactly does that mean? Requirement 1.2.3 is saying that your organization must install a firewall between any wireless network or device and your CDE. The purpose of Requirement 1.2.3 is to ensure that if an attacker should compromise your wireless network or device, only inbound and outbound protocols, ports, and services that have been previously authorized are allowed. Remember Requirement 1.1.6? That list you’ve made of management-approved protocols, ports, and services? That list that is one of the most important documents? That list that is the basis of many other requirements? You guessed it: you’ll need it again for Requirement 1.2.3. Assessors look to see that your organization is providing as must security as possible to your CDE, especially wherever wireless networks and devices exist.
PCI DSS Requirement 1.2.3
Requirement 1.2.3 requires that we install a firewall between any wireless and device and your cardholder data environment. The purpose for this is that if somebody should somehow compromise your wireless device, we want to make sure that only inbound and outbound ports and services that are authorized are allowed. We want to make sure that we provide as much possible security from all aspects into and out of your cardholder data environment, wherever wireless is being used.
Looking at this requirement, Requirement 1.2.3, it establishes the need to have a firewall there. When we look at that list of authorized protocols, ports, and services that we’ve talked about in Requirement 1.1.6, we’re going to look for the wireless protocols, ports, and services that you’re allowing in and out of the wireless.
As an organization, you may not have wireless that you’re using to transmit cardholder data, and that’s perfectly fine. But if you do have wireless, chances are wireless is in-scope of the assessment. As assessors, we often find that where wireless exists within the environment, your network or administration staff are using their laptops to connect into that environment per management.