| ๐ผ 1.1 Processes and mechanisms for installing and maintaining network security controls are defined and understood. | 2 | | | |
| ย ย ย ย ๐ผ 1.1.1 All security policies and operational procedures identified in Requirement 1 are documented, kept up to date, in use, and known to all affected parties. | | | | |
| ย ย ย ย ๐ผ 1.1.2 Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood. | | | | |
| ๐ผ 1.2 Network security controls (NSCs) are configured and maintained. | 8 | | | |
| ย ย ย ย ๐ผ 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained. | | | | |
| ย ย ย ย ๐ผ 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1. | | | | |
| ย ย ย ย ๐ผ 1.2.3 An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. | | | | |
| ย ย ย ย ๐ผ 1.2.4 An accurate data-flow diagram(s) is maintained. | | | | |
| ย ย ย ย ๐ผ 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need. | | | | |
| ย ย ย ย ๐ผ 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated. | | | | |
| ย ย ย ย ๐ผ 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective. | | | | |
| ย ย ย ย ๐ผ 1.2.8 Configuration files for NSCs are secured from unauthorized access and kept consistent with active network configurations. | | | | |
| ๐ผ 1.3 Network access to and from the cardholder data environment is restricted. | 3 | | | |
| ย ย ย ย ๐ผ 1.3.1 Inbound traffic to the CDE is restricted. | | | 14 | |
| ย ย ย ย ๐ผ 1.3.2 Outbound traffic from the CDE is restricted. | | | 14 | |
| ย ย ย ย ๐ผ 1.3.3 NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE. | | | | |
| ๐ผ 1.4 Network connections between trusted and untrusted networks are controlled. | 5 | | | |
| ย ย ย ย ๐ผ 1.4.1 NSCs are implemented between trusted and untrusted networks. | | | 10 | |
| ย ย ย ย ๐ผ 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted. | | | 8 | |
| ย ย ย ย ๐ผ 1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network. | | | | |
| ย ย ย ย ๐ผ 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks. | | | 3 | |
| ย ย ย ย ๐ผ 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties. | | | | |
| ๐ผ 1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated. | 1 | | | |
| ย ย ย ย ๐ผ 1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks and the CDE. | | | | |