PCI Requirement 1.2 states, “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.” The PCI DSS considers any network that is out of your organization’s ability to control, or external to your organization’s network, as untrustworthy. Assessors will take the data found in PCI Requirement 1.1.6, which is your organization’s authorized ports, protocols, and services, and compare that data to your router and firewall configurations. Assessors are looking to ensure that your organization is only using the authorized ports, protocols, and services defined in Requirement 1.1.6.
PCI Requirement 1.2
We’re going to talk about Requirement 1.2 now. The primary focus of Requirement 1.2 is that you as an organization develop policies and procedures that restrict your traffic to the absolute necessary that’s required for inbound and outbound traffic. From an assessment perspective, what we do is we take the data that we found in Requirement 1.1.6, which is your authorized ports, services, and protocols, and we pull your router and firewall configs and we compare the two, basically making sure that only the authorized ports and services that management has authorized are actually what’s being used.