Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Simply stated - Secure networks with access to cardholder data must be protected by physical (hardware) firewalls. Individual devices with access to secure networks must be protected by personal (software) firewalls.

A stateful firewall must be in place to protect your cardholder data environment (CDE) from untrusted networks, including your other networks if you are using segmentation. You can use a single firewall with different firewall zones and strict access control lists (ACLs) to meet this requirement. If you have any publicly-accessible services, such as web servers, mail servers, API servers, or VPN servers, the devices providing these services should be placed in a demilitarized zone (DMZ) network, with limited access to both internal and external networks. Any devices that store cardholder data must not be placed in the DMZ.

Updated network and cardholder data flow diagrams must be maintained.

A firewall configuration standard must be documented and followed. The firewall configuration standard documentation must include the assignment of firewall management responsibilities to specific teams or individuals.

For each ACL entry configured on the firewall permitting traffic into and out of your DMZ and internal CDE zones, a justification for the rule must be documented. Firewall rulesets must be reviewed at least every 6 months to ensure that unnecessary ACL entries are identified and removed.

A personal firewall must be enabled on all laptops that are used to access the internet when the laptop is taken out of the CDE.

What is a DMZ and why do I need one? Computer networks fulfill unique roles in your organization. Depending on the role assigned to a network, that network may be more or less vulnerable to being compromised externally for malicious purposes. Networks that must be externally accessible by design (such as a website, which must allow web visitors, or a mail server, which must send and receive email) are more vulnerable for exploitation than networks that do not allow for external or anonymous usage. Hackers are often able to exploit vulnerabilities in a peripheral system (a content management system, chat software, etc.) and then eventually work their way into enhanced access within a network. A DMZ is a network that is exposed directly to an insecure external network (such as the internet). Because of this enhanced risk, DMZ networks should be separated from secure internal networks and access between these networks strictly controlled. If a DMZ is properly constructed, extra time is provided to network administrators to prevent access to sensitive data in the event the DMZ is compromised.

What are firewall configuration standards? Minimal configuration requirements specifically included in the PCI data security standards include: versions and patches (critical patches must be applied within one month of release), active service tracking (disabled ports, protocols, and services must be listed, default services that are not required for your network should be disabled), private IP address information must be protected, network architecture (all DMZs must be connected to internal networks through firewalls), access control (vendor-provided credentials must be changed from defaults), etc.

Go on to Requirement 2 - Vendor Defaults.

Read more about Selecting a PCI DSS Compliant Firewall.