PCI DSS Requirement 1.3.6: Segregate the CDE from the DMZ
What’s in PCI Requirement 1.3.6?
To meet PCI Requirement 1.3.6, your organization must not store cardholder data within the DMZ. PCI Requirement 1.3.6 states, “Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.” PCI Requirement 1.3.6 also says, “Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.”
If your organization is storing cardholder data within your DMZ, assessors must examine the means and methods for moving that data into the internal environment. We see issues with this when organizations have an SFTP server or web server that is processing data. We recommend that you map a drive to your SFTP server, or web server, and when that data comes in, rather than writing it in to the local system within the DMZ, write that data into the corporate environment or into a server that resides within the cardholder data environment (CDE).
PCI DSS Requirement 1.3.6
PCI DSS Requirement 1.3.6 requires that we do not store cardholder data within the DMZ. The purpose and intent behind this particular requirement is that we’ve spent all this time within your environment hardening your assets, hardening the network, and doing everything we can to prevent the attack from getting any access to that asset. So if you’re storing cardholder data within your DMZ, we need to look at the means and methods for moving it into the internal environment.
A lot of times where we see issues with this is when organizations have an SFTP server or web server that might be processing data. When we talk about storage, we’re talking about persistent storage, meaning that if you’ve written it to hard drive, even for a millisecond, it’s considered stored. So what we would recommend that you do is take an opportunity to perhaps map a drive to your SFTP server or your web server, and when that data comes in, rather than writing it to the local system within the DMZ, is to write that data into the corporate environment or write it into a server that resides within the CDE.