PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses

by KirkpatrickPrice / April 18th, 2017

What is PCI Requirement 1.3.7?

The goal of your organization is to make it as difficult as possible for someone to hack into your environment. Disclosing the IP addresses you have within your internal environment are one of the things we, as assessors, look for to help you to achieve that goal.

Jeff Wilder discusses PCI DSS Requirement 1.3.7, and not disclosing private IP addresses.

PCI Requirement 1.3.7 states, “Do not disclose private IP addresses and routing information to unauthorized parties.” Additionally, methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT), placing servers containing cardholder data behind proxy servers/firewalls, removal or filtering of route advertisements for private networks that employ registered addressing, and internal use of RFC1918 address space instead of registered addresses.

PCI DSS Requirement 1.3.7

We want to make it as difficult as we can to prevent somebody from hacking your environment. Disclosing the IP addresses that you have within your internal environment is one of those things that can help us achieve that goal. We do that by natting the traffic, inbound and outbound. We do not disclose your internal IP addresses unless it’s required for business.

In most cases, most organizations, based on their internal IP schema, are already hiding or masking their internal IP addresses. But if you’re a large organization, like a public university – a lot of times public universities will have public IP addresses to the desktop and running their own BCP routing rules – if that is the case, if there is an IP schema that is subject to your PCI DSS environment, you need to exclude that from your advertised routing routes.