1.3 Network access to and from the cardholder data environment is restricted.

This requirement ensures that only authorized and necessary network traffic is allowed in and out of the CDE, minimizing the risk of unauthorized access or data exfiltration.

Sub-requirements:

1.3.1 Inbound traffic to the CDE is restricted only traffic that is necessary and all other traffic is specifically denied.
1.3.2 Outbound traffic from the CDE is restricted to only traffic that is necessary and all other traffic is specifically denied.
1.3.3 NSCs are installed between all wireless networks and the CDE, regardless of whether the wireless network is a CDE

1.3. Network access to and from the cardholder data environment is restricted.

Prevent unauthorized access to and from the CDE by limiting network traffic to only what is necessary.

https://WithPCI.com

Sub-requirements

Test Points

High (5.0)

Implementation Difficulty

Control Types

Technical

Technical: 3

Key Risks

Unauthorized network access

Data exfiltration

Wireless bridging into CDE

Frequently Asked Questions

What does Requirement 1.3 require for inbound and outbound traffic?

Inbound and outbound traffic to/from the CDE must be restricted to only what is necessary for business, with all other traffic denied by default.

How should wireless networks be handled?

Wireless networks must be segmented from the CDE, with NSCs installed between them and default-deny rules enforced.

Why is outbound traffic control important?

It helps prevent data exfiltration and limits the ability of malware to communicate externally.

How often should these controls be reviewed?

Controls should be reviewed regularly, especially after network changes or new threats are identified.

What are common mistakes organizations make with 1.3?

Allowing overly broad rules, failing to segment wireless networks, and not reviewing rulesets frequently.

Common QSA Questions

Can you show your firewall rules for CDE inbound and outbound traffic?

Yes, our firewall rules are documented and restrict traffic to only necessary connections, with all other traffic explicitly denied.

How do you segment wireless networks from the CDE?

We use separate VLANs, firewalls, and access controls to ensure wireless networks cannot directly access the CDE.

How is outbound traffic from the CDE monitored and controlled?

Outbound traffic is restricted to only necessary destinations, monitored for anomalies, and reviewed regularly.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.