[PCI DSS 1.x] 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.

1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented.
1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit

Segmentation of CHD

We host a number of website and pass information to our Payment Gateway. We do not store any CHD we just pass it to our Gateway. If we put the Gateway behind a firewall will this make the rest of our network out of scope?

Our webservers use HTTPS and are in a DMZ at present so I assume if we pin hole the firewall in front of the payment gateway for the webservers to access it this would be ok.

Also if our admin guys need to RDP, SSH to the Gateway from thier machines is this ok or will this then put thier machine in scope as well?

I can’t seem to find out a definate answer to whats classed as in scope.

Hope somebody can help.



VoIP Segmentation


We’ve been told that securing the VoIP VLAN is part of the restriction being pushed by PCI-DSS. We’ve been doing that for some of our accounts and some are not, meaning some VoIP VLANs are behind firewall with only necessary ports opened and some are just sitting inside our network within our L3 environment.

However, after years of being audited for PCI-DSS, this new QSA suddenly asked us to restrict ports of the main VoIP system (Avaya). Apparently, like any other VoIP system, one card/box will provide signalling and the other one is for RTP stream. QSA is requesting to put all the VoIP system behind firewall but when we questioned him on why we have to do this, we were a bit surprised that he asked for a diagram as he is not aware on how the VoIP system works. We told him that the signalling and media processor cards cannot even be managed via SSH or Telnet. The only system that can control these cards is the main server which the CHD environment doesn’t have access. He said that “anything” that has connection to PCI zone should be firewalled. If he would say that we should put the main server behind the firewall then I would understand but not the signalling and voice bearer boards.

Not sure if he is going overboard this time.