Unpacking PCI Requirement 1.4
PCI Requirement 1.4 states, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE.” PCI DSS v3.2 explains that portable computing devices that are allowed to connect to the Internet from outside the corporate firewall are more vulnerable to Internet-based threats. The use of firewall functionality (e.g., personal firewall software or hardware) helps to protect devices from Internet-based attacks, which could use the device to gain access the organization’s systems and data once the device is re-connected to the network.
PCI DSS Requirement 1.4
Requirement 1 has primarily been talking about securing your networks and establishing rules around firewalls and routers and all of those things to keep the bad guys out. Within the specific requirement, PCI DSS Requirement 1.4, it requires that where you have an employee-owned device or a laptop or a portable device that connects to the Internet and would also connect to your environment, we want to make sure that it as well has a personal firewall enabled. All of the rules that are subject to PCI DSS surround inbound and outbound traffic and establishing rules for authorized ports – all of that applies to this as well.
When we’re assessing for PCI Requirement 1.4, we expect that you have authorized ports and services that are allowed in and out of those personal laptops, employee-owned devices, or portable devices as well. These personal firewalls must be enabled, they cannot be alterable by the end-users. We want to make sure they don’t have the ability to open up a port or service that isn’t authorized to do so, or to shut if off if they desire to do so.