PCI DSS Requirement 1.3: Examine Firewall and Router Configurations
What is PCI Requirement 1.3?
PCI Requirement 1.3 focuses on ensuring that you prohibit direct public traffic from the Internet into the Cardholder Data Environment (CDE). PCI Requirement 1.3 states, “Prohibit direct public access between the Internet and any system component in the Cardholder Data Environment.” The PCI DSS v3.2 says that the purpose for PCI Requirement 1.3 is to protect system components that store cardholder data. If the protections put in place are bypassed, your system could be compromised.
There are several ways that assessors determine PCI Requirement 1.3 compliance:
- First, they will look at your organization’s policies and procedures. Policies and procedures are an important basis for compliance.
- Assessors also examine to ensure that there is a firewall established between the DMZ and the Internet, as well as between your DMZ and your CDE.
- The inbound traffic must terminate in the DMZ.
- Assessors examine firewalls and routers and look to see what organizations are filtering for.
- They make sure that all traffic that’s inbound into your environment is explicitly authorized as part of Requirement 1.1.6.
- No cardholder data should be stored within the DMZ; if you’re doing that, then you don’t have a real DMZ.
- If your organization has applications that accept credit card data for payment or for processing and temporarily write it into a file, assessors will tell you that this is specifically prohibited in the PCI DSS v3.2.
PCI DSS Requirement 1.3
Requirement 1.3 is primarily focused on ensuring that you prohibit direct traffic from the Internet into the Cardholder Data Environment. There’s several things that we look at in order to achieve this. First of all, we look at your policies and procedures. We look to make sure that you have a firewall established between the DMZ and the Internet. Next, we look to make sure that you have a firewall established between your DMZ and your Cardholder Data Environment.
Secondary to that, we also look to make sure that all inbound traffic is going to terminate into the DMZ in some capacity. We look at your firewalls and routers, and we look to see what you’re filtering for. We make sure that all traffic that’s inbound into your environment is explicitly authorized as part of Requirement 1.1.6, which we’ve often talked about. We look to make sure that you’re not storing any cardholder data within the DMZ; if you’re doing that, then you really don’t have a DMZ.
One of the areas where many organizations get in trouble here, is where they have applications that accept credit card data for payment or for processing, and they will temporarily write it into a file; that is specifically prohibited by the PCI DSS. Once again, Requirement 1.3 is making sure that we’re going to prohibit the inbound traffic directly into your Cardholder Data Environment and it is terminated into the DMZ.