Network Security [Req 1-2]
Rule: Install and maintain network security controls (firewalls, segmentation) and apply secure configurations to all system components.
Requirement 1: Network Security Controls
1.2 — Configure and Maintain Controls
| Control | Requirement |
|---|
| Firewall rules | Documented, reviewed every 6 months |
| Business justification | All services, protocols, ports justified |
| Insecure services | Documented risk if allowed, additional security |
| Rule review | At least every 6 months |
1.3 — Restrict CDE Access
| Control | Requirement |
|---|
| Inbound traffic | Restricted to only necessary traffic |
| Outbound traffic | Explicitly authorized from CDE |
| Anti-spoofing | Prevent forged source IPs |
| No direct access | DMZ between internet and CDE |
1.4 — Control Trusted/Untrusted Connections
| Control | Requirement |
|---|
| Personal firewalls | On portable devices accessing CDE |
| Cannot be altered | By users (or limited alterations) |
| Active and enforced | Always running |
Network Segmentation
Segmentation isolates CDE from other networks:
| Benefit | Impact |
|---|
| Reduced scope | Fewer systems in scope for PCI DSS |
| Lower cost | Less to assess and secure |
| Better security | Limits breach impact |
Validation: Penetration testing must verify segmentation effectiveness.
Requirement 2: Secure Configurations
2.2 — System Configuration Standards
| Control | Requirement |
|---|
| Change defaults | Vendor-supplied defaults changed |
| Remove unnecessary | Services, protocols, functions removed |
| Security parameters | Configured to prevent misuse |
| One function per server | Primary functions only (or justified) |
Vendor Defaults to Change
| Default | Action |
|---|
| Default passwords | Change all default/known passwords |
| Default accounts | Remove, disable, or rename |
| SNMP community strings | Change from “public” and “private” |
| Unnecessary services | Disable telnet, FTP if not required |
2.3 — Wireless Security
| Control | Requirement |
|---|
| Change defaults | SSIDs, keys, passwords |
| Strong encryption | WPA2/WPA3 Enterprise |
| Strong authentication | Industry best practices |
| No WEP | WEP prohibited |
CDE (Cardholder Data Environment)
The CDE includes:
- Systems that store, process, or transmit cardholder data
- Systems directly connected to or supporting the above
- Network segments containing cardholder data
Configuration Hardening Resources
| Resource | Use For |
|---|
| CIS Benchmarks | OS, database, application hardening |
| Vendor guides | Product-specific security guides |
| NIST guidelines | Security configuration baselines |
Citation
PCI DSS v4.0.1 Requirements 1-2