PCI DSS Requirement 1.3.1: Establishing a DMZ

by KirkpatrickPrice / April 18th, 2017

Understanding PCI Requirement 1.3.1

PCI DSS Requirement 1.3.1 requires that you, as an organization, develop and implement a DMZ, otherwise known as a demilitarized zone.

What is the PCI DSS DMZ?

The PCI DSS requirements often refer to DMZs, or demilitarized zones. A DMZ is a sub-network that separates the internal network, in this instance your CDE, from all other untrusted sources. The DMZ should be a place where your public-facing web services exist and will keep you from exposing your CDE – where cardholder data and other sensitive data exists – from the Internet.

The DMZ can be configured a couple of different ways. You could have two physical firewalls between the Internet and DMZ and the DMZ and internal networks, or one single firewall that is appropriately configured with two network zones that are appropriately restricted between the two. Requirement 1.3.1 specifically states, “Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.” As assessors, we will be verifying if you have a DMZ, if it’s in place, and if it is operating effectively.

PCI DSS Requirement 1.3.1

Requirement 1.3.1 requires that you as an organization develop a DMZ. This DMZ is really established as a place where you can put your web services so that you’re not exposing your credit card information, your credit card processing, or any of the services that would be subject to cardholder data, to the Internet as whole. What we look for here is that you do indeed have a DMZ. This DMZ can be established by having two physical firewalls, or you can have a single firewall that’s appropriately configured with two network zones that are appropriately restricted between them.

Share Tweet Share Email

Related Posts