1.4 Network connections between trusted and untrusted networks are controlled.
This requirement focuses on controlling network connections between trusted and untrusted networks. It ensures that organizations implement proper network security controls to protect their trusted networks from unauthorized access from untrusted networks.
Sub-requirements:
- 1.4.1 NSCs are implemented between trusted and untrusted networks.
- 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted to:
- 1.4.3 Anti-spoofing measures are implemented to detect and block forged source IP addresses from entering the trusted network.
- 1.4.4 System components that store cardholder data are not directly accessible from untrusted networks.
- 1.4.5 The disclosure of internal IP addresses and routing information is limited to only authorized parties.
1.4. Network connections between trusted and untrusted networks are controlled.
Ensure all connections between trusted and untrusted networks are protected and monitored by NSCs.
Key Risks
Frequently Asked Questions
What is the main objective of Requirement 1.4?
To ensure that all network connections between trusted and untrusted networks are controlled, monitored, and protected by network security controls.
What are anti-spoofing measures?
Anti-spoofing measures prevent attackers from sending network packets with forged source IP addresses to bypass controls.
How do you prevent direct access to CHD storage from untrusted networks?
By using segmentation, access controls, and ensuring that CHD storage systems are never directly accessible from untrusted networks.
What information should not be disclosed externally?
Internal IP addresses and routing information should be limited to authorized parties only.
How are trusted and untrusted networks defined?
Trusted networks are within the organization’s control and protected by security controls; untrusted networks are external or not under direct control.
Common QSA Questions
How do you enforce boundaries between trusted and untrusted networks?
We deploy firewalls and network security controls at every boundary and restrict traffic based on business need.
What anti-spoofing controls are in place?
We use ingress filtering, uRPF, and firewall rules to block spoofed packets.
How do you ensure CHD storage is not directly accessible from untrusted networks?
CHD storage is placed in isolated network segments with no direct routes from untrusted networks.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy