The document outlines the PCI DSS requirements, focusing on the establishment and maintenance of secure network configurations to protect cardholder data. It emphasizes the importance of firewalls in controlling network traffic and includes specific procedures for testing firewall and router configurations to ensure compliance. Key requirements include documenting security standards, maintaining current network diagrams, and regularly reviewing firewall rules.

1. PCI DSS Requirements and Security Assessment Procedures
Copyright 2010 PCI Security Standards Council LLC
1.0.0
Build and Maintain a Secure Network - Requirement 1
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic
into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive
area within an entity’s trusted network.
A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce,
employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via
wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into
key systems. Firewalls are a key protection mechanism for any computer network.
Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement
1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included
within the scope and assessment of Requirement 1
ID PCI DSS Requirements Testing Procedures
1.1.0
1.1 Establish firewall and
router configuration standards
that include the following the
requirements in 1.1.1 through
1.1.6.
1.1 Obtain and inspect the
firewall and router
configuration standards and
other documentation specified
below to verify that standards
are complete.
In Place Not In Place Target Date/Comments
1.1.1
1.1.1 A formal process for
approving and testing all
network connections and
changes to the firewall and
router configurations
1.1.1 Verify that there is a
formal process for testing and
approval of all network
connections and changes to
firewall and router
configurations.
In
Place
est magna, blandit non
egestas id, commodo ac
nisi.
Select
(c) Preparation by Prep4Audit LLC 1 of 4

2. PCI DSS Requirements and Security Assessment Procedures
Copyright 2010 PCI Security Standards Council LLC
1.1.2.a Verify that a current
network diagram (for example,
one that shows cardholder
data flows over the network)
exists and that it documents all
connections to cardholder
data, including any wireless
networks.
Not In
Place
Curabitur sed ornare
augue. Aenean purus
sapien, aliquet a purus a,
fermentum commodo
purus. Maecenas
consequat augue mi,
varius pellentesque nulla
ultrices
Cras vulputate faucibus
felis, ut tincidunt dui
luctus laoreet. Sed ipsum
diam, tristique vel tellus
eget, sollicitudin
consectetur sem.
1.1.2.b Verify that the diagram
is kept current.
1.1.3.a Verify that firewall
configuration standards
include requirements for a
firewall at each Internet
connection and between any
DMZ and the internal network
zone.
In
Place
Phasellus congue viverra
dolor nec ultricies. Sed
sem felis, molestie ut
eleifend tempus, rutrum
ac tortor.
1.1.3.b Verify that the current
network diagram is consistent
with the firewall configuration
standards.
Not In
Place
Praesent ut mollis est.
Nam egestas metus sed
mauris cursus
condimentum.
Integer facilisis tortor
non lacus tincidunt
1.1.4
1.1.4 Description of groups,
roles, and responsibilities for
logical management of
network components
1.1.4 Verify that firewall and
router configuration standards
include a description of groups,
roles, and responsibilities for
logical management of
network components.
In
Place
1.1.2
1.1.2 Current network diagram
with all connections to
cardholder data, including any
wireless networks
1.1.3
1.1.3 Requirements for a
firewall at each Internet
connection and between any
demilitarized zone (DMZ) and
the internal network zone
(c) Preparation by Prep4Audit LLC 2 of 4

3. PCI DSS Requirements and Security Assessment Procedures
Copyright 2010 PCI Security Standards Council LLC
1.1.5.a Verify that firewall and
router configuration standards
include a documented list of
services, protocols and ports
necessary for business—for
example, hypertext transfer
protocol (HTTP) and Secure
Sockets Layer (SSL), Secure
Shell (SSH), and Virtual Private
Network (VPN) protocols.
In
Place
1.1.5.b Identify insecure
services, protocols, and ports
allowed; and verify they are
necessary and that security
features are documented and
implemented by examining
firewall and router
configuration standards and
settings for each service.
1.1.6.a Verify that firewall and
router configuration standards
require review of firewall and
router rule sets at least every
six months.
1.1.6.b Obtain and examine
documentation to verify that
the rule sets are reviewed at
least every six months.
1.1.5
1.1.6
1.1.5 Documentation and
business justification for use of
all services, protocols, and
ports allowed, including
documentation of security
features implemented for
those protocols considered to
be insecure.Examples of
insecure services, protocols, or
ports include but are not
limited to FTP, Telnet, POP3,
IMAP, and SNMP.
1.1.6 Requirement to review
firewall and router rule sets at
least every six months
(c) Preparation by Prep4Audit LLC 3 of 4

4. PCI DSS Requirements and Security Assessment Procedures
Copyright 2010 PCI Security Standards Council LLC
ID PCI DSS Requirements Testing Procedures
1.2.0
1.2 Build firewall and router
configurations that restrict
connections between
untrusted networks and any
system components in the
cardholder data environment.
Note: An untrusted network is
any network that is external to
the networks belonging to the
entity under review, and/or
1.2 Examine firewall and router
configurations to verify that
connections are restricted
between untrusted networks
and system components in the
cardholder data environment,
as specified below.
In Place Not In Place Target Date/Comments
1.2.1.a Verify that inbound and
outbound traffic is limited to
that which is necessary for the
cardholder data environment,
and that the restrictions are
documented.
1.2.1.b Verify that all other
inbound and outbound traffic
is specifically denied, for
example by using an explicit
"deny all" or an implicit deny
after allow statement.
Select
1.2.1 Restrict inbound and
outbound traffic to that which
is necessary for the cardholder
data environment.
1.2.1
(c) Preparation by Prep4Audit LLC 4 of 4