1.3 Prohibit direct public access
between the Internet and any system
component in the cardholder data
environment.
1.3 Examine firewall and router configurations—including but
not limited to the choke router at the Internet, the DMZ router
and firewall, the DMZ cardholder segment, the perimeter router,
and the internal cardholder network segment—and perform the
following to determine that there is no direct access between the
Internet and system components in the internal cardholder
network segment:
A firewall’s intent is to manage and control all
connections between public systems and internal
systems, especially those that store, process or
transmit cardholder data. If direct access is
allowed between public systems and the CDE, the
protections offered by the firewall are bypassed,
and system components storing cardholder data
may be exposed to compromise.