1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment.
1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented.
1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.
Segmented Application Deployment Options
[SIZE=3][FONT=Times New Roman]I am interested in hearing some of the methods that either merchants on here have deployed or QSAs have seen utilized to deploy payment applications in a segmented manner. I have used a variety of methods ranging from isolated VLANS to Citrix. Single-use terminals (i.e. a retail POS station) are easy enough to segment utilizing VLANs. I have found it gets tricky when you begin dealing with multi-use PCs such as those used by backoffice functions such as accounting, revenue management, etc. These employees may be responsible for running reports and performing other types of administrative/managerial activities within payment applications and also require access to a suite normal desktop of applications that may include Office, IE, Accounting Applications, etc., etc. I have used citrix to successfully deploy payment applications to these types of workstations in the past. That being said solutions such as citrix not be a scalable or cost-effective solution to put in place at smaller locations. It is also not realistic to put two different PCs on every desk that sit on two different VLANs (payment processing vs. Non-payment processing). What other scenarios have you seen out there that still allow for a successful level of network segmentation.[/FONT][/SIZE]
1.2 Untrusted Networks
The preamble for 1.2 has a not that states what an ‘Untrusted Network’ is
(An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage.)
Our QSA quite rightly identified this as Out of Scope as we have none. He then went ahead and assessed us against 1.2.1, 1.2.2 and 1.2.3. Surely these are subsets that only have to be examined against ‘Untrusted networks’ i.e. if 1.2 is out of scope so should be 1.2.x? Can anyone clarify this, the test procedure notes clearly indicate that these are tests against the ‘Untrusted Network’
Untrusted v. Trusted
JDM123 - I’m not entirely certain what your question is. Clearly networks out of your control are not in scope. The purpose of the firewall requirement is to ensure that traffic is controlled to/from any untrusted network to/from the card holder environment. Clearly the firewall is in scope. Please clarify your question.
My company is planning to roll out an APN solution. How would this affect remote access requirements from PCI-DSS?
Will the APN process or transmit CHD? Will the APN allow access into the CHD environment?
Thanks you for the post.