1 — Install and Maintain Network Security Controls
19 requirements in the Install and Maintain Network Security Controls requirement
1.1.1All security policies and operational procedures that are identified in Requirement 1 are: Documented.
1.1.2Roles and responsibilities for performing activities in Requirement 1 are documented, assigned, and understood.
1.2.1Configuration standards for NSC rulesets are: Defined.
1.2.2All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.
1.2.3An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.
1.2.4An accurate data-flow diagram(s) is maintained that meets the following: Shows all account data flows across systems and networks.
1.2.5All services, protocols and ports allowed are identified, approved, and have a defined business need.
1.2.6Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.
1.2.7Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.
1.2.8Configuration files for NSCs are: Secured from unauthorized access.
1.3.1Inbound traffic to the CDE is restricted as follows: To only traffic that is necessary, All other traffic is specifically denied.
1.3.2Outbound traffic from the CDE is restricted as follows: To only traffic that is necessary.
1.3.3NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE, such that: All wireless traffic from wireless networks into the CDE is denied by default.
1.4.1NSCs are implemented between trusted and untrusted networks.
1.4.2Inbound traffic from untrusted networks to trusted networks is restricted to: Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
1.4.3Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.
1.4.4System components that store cardholder data are not directly accessible from untrusted networks.
1.4.5The disclosure of internal IP addresses and routing information is limited to only authorized parties.
1.5.1Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows.