| ๐ผ 1.1 Establish and implement firewall and router configuration standards | 7 | | | |
| ย ย ย ย ๐ผ 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations. | | | | |
| ย ย ย ย ๐ผ 1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks. | | | | |
| ย ย ย ย ๐ผ 1.1.3 Current diagram that shows all cardholder data flows across systems and networks. | | | | |
| ย ย ย ย ๐ผ 1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. | | | | |
| ย ย ย ย ๐ผ 1.1.5 Description of groups, roles, and responsibilities for management of network components. | | | | |
| ย ย ย ย ๐ผ 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. | | | | |
| ย ย ย ย ๐ผ 1.1.7 Requirement to review firewall and router rule sets at least every six months. | | | | |
| ๐ผ 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment | 3 | | | |
| ย ย ย ย ๐ผ 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. | | 10 | 14 | |
| ย ย ย ย ๐ผ 1.2.2 Secure and synchronize router configuration files. | | | | |
| ย ย ย ย ๐ผ 1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment. | | | | |
| ๐ผ 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. | 7 | 9 | 10 | |
| ย ย ย ย ๐ผ 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. | | 7 | 8 | |
| ย ย ย ย ๐ผ 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ. | | | 8 | |
| ย ย ย ย ๐ผ 1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. | | | | |
| ย ย ย ย ๐ผ 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. | | | 4 | |
| ย ย ย ย ๐ผ 1.3.5 Permit only โestablishedโ connections into the network. | | | 8 | |
| ย ย ย ย ๐ผ 1.3.6 Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks. | | | 3 | |
| ย ย ย ย ๐ผ 1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties. | | | | |
| ๐ผ 1.4 Install personal firewall software or equivalent functionality on any portable computing devices that connect to the Internet when outside the network, and which are also used to access the CDE. | | | | |
| ๐ผ 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. | | | | |