PCI-DSS and Firewalls: The Foundation of Cardholder Data Protection
The Payment Card Industry Data Security Standard (PCI-DSS) places network security controls — and firewalls in particular — at the center of its requirements. Requirements 1 and 2 of PCI-DSS v4.0 deal directly with network security controls, and firewall configuration evidence is among the most commonly requested items during a QSA (Qualified Security Assessor) audit. Being unprepared in this area is one of the fastest ways to fail an assessment.
This guide walks through the key firewall-related requirements and what you need to have in place — and documented — before an auditor arrives.
PCI-DSS v4.0 Requirement 1: Network Security Controls
Requirement 1 focuses on ensuring that network security controls are installed and maintained to protect the cardholder data environment (CDE). Key sub-requirements include:
- 1.2.1 – Network security control documentation: All network security controls must have documented configurations, including the rules in place and their business justification.
- 1.2.2 – Inbound and outbound traffic restriction: All traffic to and from the CDE must be restricted to that which is necessary, and all other traffic must be denied by default.
- 1.3.1 – Inbound traffic from untrusted networks: Only authorized traffic destined for specific ports/protocols/services may enter the CDE from untrusted networks.
- 1.3.2 – Outbound traffic from the CDE: Outbound traffic from the CDE must be limited to that required for business purposes, with all other traffic denied.
- 1.3.3 – Anti-spoofing controls: Firewalls must block forged source IP addresses (ingress filtering).
What Auditors Actually Look For
Beyond confirming that a firewall exists, QSAs will typically request:
- A current network diagram showing all connections into and out of the CDE, including wireless networks and third-party connections.
- Full firewall ruleset exports, often reviewed for the presence of
any/anyrules and rules without documented business justification. - Evidence of a rule review process — typically, auditors want to see that rules are reviewed at least every six months.
- Documentation showing that all inbound/outbound rules have a named owner and a documented business reason.
- Change management records for recent firewall modifications.
The Six-Month Rule Review: What It Really Means
PCI-DSS requires organizations to review firewall and router rule sets at least every six months. This doesn't just mean printing out the ruleset and filing it. A compliant review process should:
- Involve the relevant rule owner confirming each rule is still needed (recertification).
- Result in the removal or modification of rules that no longer have a valid business justification.
- Be documented with a date, reviewer name, and outcome.
- Be tracked in your change management system.
Common Gaps That Cause PCI Failures
| Gap | Risk | Fix |
|---|---|---|
| Undocumented rules | Auditor finding, possible fail | Tag every rule with owner and justification |
| No evidence of rule reviews | Requirement 1.2.7 finding | Schedule and document semi-annual reviews |
| Any/any rules in CDE | Critical finding | Scope and restrict all broad rules immediately |
| Stale network diagrams | Auditor distrust, scope gaps | Automate diagram generation where possible |
| No change control for firewall changes | Requirement 6 finding | All changes through documented change management |
Preparing Your Documentation Package
Build an audit-ready documentation package that includes: current network diagrams, firewall configuration exports, rule review records from the past 12 months, change management records, and your network security policy document. Keeping this package continuously updated — rather than scrambling before each audit — is the hallmark of a mature compliance program.