[PCI DSS 1.x] 1.3.3 Do not allow any direct routes inbound or outbound for traffic between the Internet

[PCI-DSS] 1.3.3 Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment.

1.3.3 Verify there is no direct route inbound or outbound for traffic between the Internet and the cardholder data environment.

So What does direct connect mean anyway

I am having all sorts of problems with this item…

assumptions: Data is pushed to the Credit Card processor; Data is pulled from the Credit Card processor.

Questions:

  1. What does the “CardHolder data Environment” Mean?? Look in the glossary and if one follows the guidelines for 1.3.3 (which says to stage the data through a DMZ box), your DMZ now becomes part of the Cardholder Data environment and can’t have direct access to… oops endless loop…

OK, so we assume that the rule should be that the cardholder data environment is anywhere where the cardholder data is NOT encrypted. So, one could (must) stage it through a DMZ box - as long as one is using encryption based upon a shared secret… - Key Management worries now!!

It would appear that SSH is now no longer a acceptable method of sending information to the card processor ??

Anyone have any thoughts on this ??

Villy, CISA

VillyM – you raised the same issue that exists in Section 1.3.5.

PGP encrypted file transferred via SFTP/SSH is still very common… I have asked the same question that you asked many times but could never get a consistent answer.

Short of implement SOCKS proxy (which itself could be problematic to maintain) – i am also at a loss on how to interpret section 1.3.3-through 1.3.5

I am new to PCI DSS and this forum so please bear with me…

What does this section mean and why do we need to do that ?

“Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment.”