PCI DSS Requirement 1.2.1: Restrict Traffic to that which is Necessary
What is PCI Requirement 1.2.1?
PCI DSS Requirement 1.2.1 focuses around organizations developing policies and procedures that restrict traffic to that which is absolutely necessary, both inbound and outbound, for business purposes. PCI Requirement 1.2.1 states, “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” The goal of PCI Requirement 1.2.1 is to limit traffic to only essential, required protocols, ports, or services and have business justification for those required elements.
As an assessor, we’re not looking to define your business justification; we’re looking to see that you’ve done your due diligence to decide that a protocol, port, or service is absolutely required for your business operability and know why it’s required. Your organization should be asking: what’s the business justification for that protocol, port, or service? Why are we using that? If it is not required for business, it’s required that you deny that traffic.
PCI DSS Requirement 1.2.1
As an organization, you’re required to maintain the security of the traffic, inbound and outbound. As we said in Requirement 1.1.6, you have to maintain a list of authorized services, protocols, and ports. We need to now look to make sure you’ve actually implemented those. So we take that list of the protocols, ports, and services in your environment that you’ve approved, and we compare that against your actual routers and firewalls and make sure that those lists appropriately match up.
We’ve already talked about Requirement 1.1.6 that says that your organization must maintain a list of authorized protocols, ports, and services. Specific to PCI DSS 1.2.1, it says that your organization is only allowed to use the protocols, ports, and services that are required for the operation of your business. So if you need a protocol, port, or service, that’s absolutely appropriate. Understand, however, that as an assessor, it’s not our role to define your business justification or why you might need a protocol, port, or service. What we’re looking for as an assessor, is that you’ve done your due diligence to say, “Yes, this protocol, port, or service is absolutely required and this is why it’s required.”
So as part of that documentation in 1.1.6, we look to see that the protocols, ports, and services that are authorized are listed. But what’s the business justification for that? Why are you using that? If it’s required, great, fine, we don’t have a problem with that. But we’re looking to see that as an organization, you’ve done your due diligence in making sure that the protocols, ports, and services, the inbound traffic that you’re allowing within your environment, is required of your business. If it is not required for business, it’s required that you as an organization shut that traffic down.