PCI DSS Requirement 1.2: Restrict Connections to Untrusted Networks

by KirkpatrickPrice / April 18th, 2017

PCI Requirement 1.2 states, “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.” The PCI DSS considers any network that is out of your organization’s ability to control, or external to your organization’s network, as untrustworthy. Assessors will take the data found in PCI Requirement 1.1.6, which is your organization’s authorized ports, protocols, and services, and compare that data to your router and firewall configurations. Assessors are looking to ensure that your organization is only using the authorized ports, protocols, and services defined in Requirement 1.1.6.

It is essential that your organization develops the proper policies and procedures to carry out PCI Requirement 1.2. These policies and procedures must outline how your organization restricts network traffic to that which is required for inbound and outbound traffic. Failure to develop these policies and procedures can lead to a failure to implement PCI Requirement 1.2, potentially leaving your organization susceptible to unauthorized access.

PCI Requirement 1.2

We’re going to talk about Requirement 1.2 now. The primary focus of Requirement 1.2 is that you as an organization develop policies and procedures that restrict your traffic to the absolute necessary that’s required for inbound and outbound traffic. From an assessment perspective, what we do is we take the data that we found in Requirement 1.1.6, which is your authorized ports, services, and protocols, and we pull your router and firewall configs and we compare the two, basically making sure that only the authorized ports and services that management has authorized are actually what’s being used.