PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic

PCI DSS Requirement 1.3.4: Deny Unauthorized Outbound Traffic

Understanding PCI Requirement 1.3.4

One of the most important things you can do as an organization to harden your environment, is to limit the outbound traffic from your cardholder data environment (CDE), or from your environment that you might consider sensitive, to the Internet. This outbound traffic should be limited only to that which is necessary to support your business. If you do need internet access for business purposes, that is okay. However, you need to make sure that it is documented and approved.

PCI DSS Requirement 1.3.4 explicitly states, “Do not allow unauthorized traffic from the cardholder data environment to the Internet.” Your assessor will be examining your firewall and router configurations to verify that outbound traffic from the cardholder data environment (CDE) to the Internet is explicitly authorized. Requirement 1.3.4 verifies that there is no unfiltered access to the CDE, and that all traffic is approved based on the list of authorized protocols, ports, and services from Requirement 1.1.6. Any traffic that is not authorized, should be denied.

 

Video Transcription

PCI DSS Requirement 1.3.4

One of the most important things, in my opinion, that you could do is as organization to help harden your environment is limit the outbound traffic from your Cardholder Data Environment, or from your environment that you might consider sensitive, you limit that traffic out to the Internet to only that which is necessary to support your business. If you for some reason need Internet access, that’s great, that’s fine. Document it, making sure that it’s approved. However, what we expect is, we look at that list of authorized protocols, ports, and services from 1.1.6, and if it’s not authorized, you should be denying it.

Most organizations are really pretty good at doing the inbound filtering, but they seem to fail pretty bad at the outbound traffic. If it’s not required to process a transaction or required for the operations of your environment, it’s expected to be shut off.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *