PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses

PCI DSS Requirement 1.3.7: Do Not Disclose Private IP Addresses

What is PCI Requirement 1.3.7?

The goal of your organization is to make it as difficult as possible for someone to hack into your environment. Disclosing the IP addresses you have within your internal environment are one of the things we, as assessors, look for to help you to achieve that goal.

Jeff Wilder discusses PCI DSS Requirement 1.3.7, and not disclosing private IP addresses.
 

PCI Requirement 1.3.7 states, “Do not disclose private IP addresses and routing information to unauthorized parties.” Additionally, methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT), placing servers containing cardholder data behind proxy servers/firewalls, removal or filtering of route advertisements for private networks that employ registered addressing, and internal use of RFC1918 address space instead of registered addresses.

 

Video Transcription

PCI DSS Requirement 1.3.7

We want to make it as difficult as we can to prevent somebody from hacking your environment. Disclosing the IP addresses that you have within your internal environment is one of those things that can help us achieve that goal. We do that by natting the traffic, inbound and outbound. We do not disclose your internal IP addresses unless it’s required for business.

In most cases, most organizations, based on their internal IP schema, are already hiding or masking their internal IP addresses. But if you’re a large organization, like a public university – a lot of times public universities will have public IP addresses to the desktop and running their own BCP routing rules – if that is the case, if there is an IP schema that is subject to your PCI DSS environment, you need to exclude that from your advertised routing routes.

1 reply
  1. Avatar
    Richard Noël says:

    The wording of control 1.3.7 is odd in that it’s use of “private IP addresses” actually means “IP addresses used on your internal network”, not what otherwise appears to be obvious to most of us, which is that “private IP addresses” refers to RFC1918 address space; a Google search of “private IP addresses” supports that point. Regardless of what address space is used internally – whether private or public, the requirement is to prevent disclosure of that address space to potential attackers.

    Agreed ?

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *