Acceptable Network Locations
Your usage policies, as stated in PCI Requirement 12.3.6, should detail acceptable network locations for the technology at your organization. The PCI DSS explains that by defining acceptable network locations, your organization will be better equipped to manage and control gaps in configurations and operational controls, ensuring that a back door is not opened for attackers.
To test compliance with PCI Requirement 12.3.6, an assessor will need to examine your usage policies to ensure that they define acceptable network locations for the technology at your organization.
PCI Requirement 12.3.6 is an acceptable use requirement that defines acceptable network locations for the technology that you’ve implemented. Think about this: you’ve spent millions of dollars developing a security program, and yet somebody circumvents it by storing credit card data out in your DMZ. From an acceptable use perspective, we look to see that you have network locations and where things can be installed. Ideally, we see this in your classification policy, but if it’s not there, that’s quite all right. As long as it’s defined, we’re going to be okay with this part of the assessment.