1.2 Network security controls (NSCs) are configured and maintained.
This requirement focuses on the proper configuration and maintenance of network security controls (NSCs). It ensures that organizations have well-defined standards for NSC rulesets, manage changes to network connections and configurations, maintain accurate network and data-flow diagrams, and properly manage services, protocols, and ports.
Sub-requirements:
- 1.2.1 Configuration standards for NSC rulesets are defined, implemented, maintained.
- 1.2.2 All changes to network connections and to configurations of NSCs are approved and managed in accordance with the change control process defined at Requirement 6.5.1.
- 1.2.3 An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.
- 1.2.4 An accurate data-flow diagram(s) is maintained that meets the following, including:Shows all account data flows across systems and networks.Updated as needed upon changes to the environment.
- 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.
- 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.
- 1.2.7 Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective.
- 1.2.8 Configuration files for NSCs are secured from unauthorized access and kept consistent with active network configurations.
1.2. Network security controls (NSCs) are configured and maintained.
Ensure NSCs are securely configured, managed, and regularly reviewed to protect the cardholder data environment (CDE).
Key Risks
Frequently Asked Questions
What is the focus of Requirement 1.2?
It ensures that all network security controls are securely configured, managed, and reviewed to protect cardholder data.
How often should NSC configurations be reviewed?
At least every six months, or after significant changes to the network or systems.
What is required for network and data-flow diagrams?
They must be accurate, kept up to date, and reflect all connections to the CDE, including wireless and cloud environments.
How are insecure protocols handled?
They must be identified, documented, and have compensating security controls or be replaced with secure alternatives.
Why is change management important for NSCs?
It ensures that all changes are authorized, documented, and do not introduce vulnerabilities.
Common QSA Questions
Can you provide your latest network and data-flow diagrams?
Yes, we maintain up-to-date diagrams that reflect all connections and data flows related to the CDE.
How do you review and approve changes to NSCs?
All changes go through a documented change management process with required approvals and impact analysis.
How do you ensure only necessary services and ports are enabled?
We maintain an inventory of allowed services/ports, review them regularly, and require business justification for each.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy