1.2.1 Restrict inbound and outbound
traffic to that which is necessary for the
cardholder data environment, and
specifically deny all other traffic.
1.2.1.a Examine firewall and router configuration standards to
verify that they identify inbound and outbound traffic
necessary for the cardholder data environment.
1.2.1.b Examine firewall and router configurations to verify
that inbound and outbound traffic is limited to that which is
necessary for the cardholder data environment.
1.2.1.c Examine firewall and router configurations to verify that
all other inbound and outbound traffic is specifically denied, for
example by using an explicit “deny all” or an implicit deny after
allow statement.
This requirement is intended to prevent malicious
individuals from accessing the entity’s network via
unauthorized IP addresses or from using services,
protocols, or ports in an unauthorized manner (for
example, to send data they’ve obtained from
within your network out to an untrusted server.)
Implementing a rule that denies all inbound and
outbound traffic that is not specifically needed
helps to prevent inadvertent holes that would
allow unintended and potentially harmful traffic in
or out.