1. Home
  2. Frameworks and Standards
  3. PCI DSS
  4. PCI DSS Requirement – 1.4.2
Searching...

PCI DSS Requirement – 1.4.2

Defined Approach Requirements

1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied.

Customized Approach Objective

Only traffic that is authorized or that is a response to a system component in the trusted network can
enter a trusted network from an untrusted network.

Applicability Notes

The intent of this requirement is to address communication sessions between trusted and untrusted networks, rather than the specifics of protocols.
This requirement does not limit the use of UDP or other connectionless network protocols if state is maintained by the NSC.

Defined Approach Testing Procedures

1.4.2 Examine vendor documentation and configurations of NSCs to verify that inbound traffic from untrusted networks to trusted networks is restricted in accordance with all elements specified in this requirement.

Purpose of requirement and procedures

Ensuring that public access to a system component is specifically authorized reduces the risk of system components being unnecessarily exposed to untrusted networks.

Good practice

System components that provide publicly accessible services, such as email, web, and DNS servers, are the most vulnerable to threats originating from untrusted networks.
Ideally, such systems are placed within a dedicated trusted network that is public facing (for example, a DMZ) but that is separated via NSCs from more sensitive internal systems, which helps protect the rest of the network in the event these externally accessible systems are compromised. This functionality is intended to prevent malicious actors from accessing the organization’s internal network from the Internet, or from using services, protocols, or ports in an unauthorized manner.
Where this functionality is provided as a built-in feature of an NSC, the entity should ensure that its configurations do not result in the functionality being disabled or bypassed.

Definitions

Maintaining the “state” (or status) for each connection into a network means the NSC “knows” whether an apparent response to a previous connection is a valid, authorized response (since the NSC retains each connection’s status) or whether it is malicious traffic trying to fool the NSC into allowing the connection.

 

Note: This sub-requirement requirement falls within the primary PCI DSS Requirement 1: Install and Maintain Network Security Controls and secondary requirement 1.4 Network connections between trusted and untrusted networks are controlled..

What is the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.

While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

What is the PCI SSC

The PCI SSC mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.

The four pillars of our strategic framework include:

  1. Increase industry participation and knowledge in the PCI Standards development process and stakeholder support for standards implementation. This ensures that standards and resources reflect and address industry needs and challenges.
  2. Evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. This ensures standards and resources that support and enable safe commerce and the flexibility to use different approaches to meet those standards.
  3. Secure emerging payment channels via development of PCI Standards and resources to support broader payment acceptance. This enables safe commerce in new and emerging card and card-based payment channels such as mobile and internet-of-things.
  4. Increase standards alignment and consistency of PCI Standards to minimize redundancy and support effective implementation.

PCI DSS certification

PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:

  • Installation of firewalls
  • Encryption of data transmissions
  • Use of anti-virus software

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

You can learn more about the PCI DSS at https://www.pcisecuritystandards.org/

Updated on October 15, 2022
Was this article helpful?
Yes No

Related Articles