1.3.7 Place system components that
store cardholder data (such as a
database) in an internal network zone,
segregated from the DMZ and other
untrusted networks.
1.3.7 Examine firewall and router configurations to verify that
system components that store cardholder data are on an
internal network zone, segregated from the DMZ and other
untrusted networks.
If cardholder data is located within the DMZ, it is
easier for an external attacker to access this
information, since there are fewer layers to
penetrate. Securing system components that
store cardholder data in an internal network zone
that is segregated from the DMZ and other
untrusted networks by a firewall can prevent
unauthorized network traffic from reaching the
system component.
Note: This requirement is not intended to apply to
temporary storage of cardholder data in volatile
memory.