1.5 Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

This requirement focuses on mitigating risks to the cardholder data environment (CDE) from computing devices that connect to both untrusted networks and the CDE. It ensures that organizations implement security controls to protect the CDE from threats that could be introduced through these devices.

Sub-requirements:

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks (including the Internet) and the CDE as follows:

1.5. Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

Prevent threats from dual-homed devices that could bridge untrusted networks and the CDE.

https://WithPCI.com

Sub-requirements

Test Points

High (5.0)

Implementation Difficulty

Control Types

Technical

Technical: 1

Key Risks

Compromised endpoints bridging CDE and untrusted networks

Frequently Asked Questions

What is a dual-homed device?

A device that can connect to both untrusted networks (like the internet) and the cardholder data environment (CDE).

Why are dual-homed devices a risk?

They can act as a bridge for attackers to access the CDE from an untrusted network if not properly secured.

What controls should be applied to dual-homed devices?

Endpoint protection, host-based firewalls, and mobile device management should be enforced, and users should not be able to disable these controls.

How are exceptions to security controls managed?

Exceptions must be documented, approved, and limited in duration, with compensating controls in place.

How can organizations detect dual-homed devices?

By monitoring network connections, using NAC solutions, and regularly scanning for unauthorized devices.

Common QSA Questions

How do you identify devices that connect to both untrusted networks and the CDE?

We use network access control systems and regular network scans to detect dual-homed devices.

What security controls are enforced on dual-homed devices?

Endpoint protection, host-based firewalls, and device management policies are enforced and cannot be disabled by users.

How do you handle exceptions where controls must be temporarily disabled?

All exceptions are documented, approved, time-limited, and compensating controls are implemented.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.