PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic

by KirkpatrickPrice / April 18th, 2017

Understanding PCI Requirement 1.3.4

One of the most important things you can do as an organization to harden your environment, is to limit the outbound traffic from your cardholder data environment (CDE), or from your environment that you might consider sensitive, to the Internet. This outbound traffic should be limited only to that which is necessary to support your business. If you do need internet access for business purposes, that is okay. However, you need to make sure that it is documented and approved.

PCI DSS Requirement 1.3.4

One of the most important things, in my opinion, that you could do is as organization to help harden your environment is limit the outbound traffic from your Cardholder Data Environment, or from your environment that you might consider sensitive, you limit that traffic out to the Internet to only that which is necessary to support your business. If you for some reason need Internet access, that’s great, that’s fine. Document it, making sure that it’s approved. However, what we expect is, we look at that list of authorized protocols, ports, and services from 1.1.6, and if it’s not authorized, you should be denying it.

Most organizations are really pretty good at doing the inbound filtering, but they seem to fail pretty bad at the outbound traffic. If it’s not required to process a transaction or required for the operations of your environment, it’s expected to be shut off.