Requirement 1

Question 1

What is requirement 1 in PCI DSS 3.2.1?

Answer 1

Install and maintain a firewall configuration to protect cardholder data

Question 2

Which sub-requirement reads, “Establish and implement firewall and router configuration standards that include the following:”?

Answer 2

Requirement 1.1

Question 3

Which sub-requirement reads, “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment”?

Answer 3

Requirement 1.2

Question 4

Which sub-requirement reads, “Prohibit direct public access between the Internet and any system component in the cardholder data environment.”?

Answer 4

Requirement 1.3

Question 5

Which sub-requirement reads, “Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
Specific configuration settings are defined
Personal firewall (or equivalent functionality) is actively running
Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices”?

Answer 5

Requirement 1.4

Question 6

Which sub-requirement reads, “Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties”?

Answer 6

Requirement 1.5

Question 7

What is sub-requirement 1.1?

Answer 7

Establish and implement firewall and router configuration standards that include the following:

Question 8

What is sub-requirement 1.2?

Answer 8

Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment

Question 9

What is sub-requirement 1.3?

Answer 9

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Question 10

What is sub-requirement 1.4?

Answer 10

Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
Specific configuration settings are defined
Personal firewall (or equivalent functionality) is actively running
Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices”?

Question 11

What is sub-requirement 1.5?

Answer 11

Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties

Question 12

Which sub-sub-requirement reads, “A formal process for approving and testing all network connections and changes to the firewall and router configurations”?

Answer 12

1.1.1

The three testing procedures are:
1.1.1.a - Examine documented procedures to verify there is a formal process for testing and approval of all network connections and changes to firewall and router configurations
1.1.1.b - For a sample of network connections, interview responsible personnel and examine records to verify that network connections were approved and tested.
1.1.1.c - Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested.

Question 13

Which sub-sub-requirement reads, “Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks”?

Answer 13

1.1.2

The two testing procedures are:
1.1.2.a - Examine diagram(s) and observe network configurations to verify that a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks.
1.1.2.b - Interview responsible personnel to verify that the diagram is kept current.

Question 14

Which sub-sub-requirement reads, “Current diagram that shows all cardholder data flows across systems and networks.”?

Answer 14

1.1.3

The testing procedure is:
1.1.3.a - Examine data-flow diagram and interview personnel to verify the diagram:
- shows all cardholder data flows across systems and networks
- is kept current and updated as needed upon changes to the environment

Question 15

Which sub-sub-requirement reads, “Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the
internal network zone.”?

Answer 15

1.1.4

The three testing procedures are:
1.1.4.a - Examine the firewall configuration standards and verify that they include requirements for a firewall at each internet connection and between any DMZ and the internal network zone
1.1.4.b - Verify that the current network diagram is consistent with the firewall configuration standards.
1.1.4.c - Observe network configurations to verify that a firewall is in place at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone, per the documented configuration standards and network diagrams

Question 16

Which sub-sub-requirement reads, “ Description of groups, roles, and responsibilities for management of network components.”?

Answer 16

1.1.5

The two testing procedures are:
1.1.5.a - Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components.
1.1.5.b - Interview personnel responsible for management of network components to confirm that roles and responsibilities are assigned as documented

Question 17

Which sub-sub-requirement reads, “Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.”?

Answer 17

1.1.6

The three testing procedures are:
1.1.6.a - Verify that firewall and router configuration standards include a documented list of all services, protocols and ports, including business justification and approval for each.
1.1.6.b - Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service
1.1.6.c - Examine firewall and router configurations to verify that the documented security features are implemented for each insecure service, protocol, and port

Question 18

Which sub-sub-requirement reads, “Requirements to review firewall and router rulesets at least every six (6) months.”?

Answer 18

1.1.7

The two testing procedures are:
1.1.7.a - Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months
1.1.7.b - Examine documentation relating to rule set reviews and interview responsible personnel to verify that the rule sets are reviewed at least every six months

Question 19

Which sub-sub-requirement reads,”Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.”?

Answer 19

1.2.1

The three testing procedures are:
1.2.1.a - Examine firewall and router configuration standards to verify that they identify inbound and outbound traffic necessary for the cardholder data environment
1.2.1.b - Examine the firewall and router configurations to verify that inbound and outbound traffic is limited to that which is necessary for the CDE
1.2.1.c - Examine firewall and router configurations to verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or implicit deny after allow statement

Question 20

Which sub-sub-requirement reads, “Secure and synchronize router configuration files.”?

Answer 20

1.2.2

The two testing procedures are:
1.2.2.a - Examine router configuration files to verify they are secured from unauthorized access
1.2.2.b - Examine router configurations to verify they are synchronized – for example, the running (or active) configuration matches the start-up configuration (used when machines are booted)

Question 21

Which sub-sub-requirement reads, “Install perimeter firewalls between all wireless networks and the cardholder data environment, and
configure these firewalls to deny or, if traffic is necessary for business
purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.”?

Answer 21

1.2.3

The two testing procedures are:
1.2.3.a - Examine firewall and router configurations to verify that there are perimeter firewalls installed between all wireless networks and the CDE.
1.2.3.b - Verify that the firewalls deny or, if traffic is necessary for business purpose, permit only authorized traffic between the wireless environment and the CDE.

Question 22

Which sub-sub-requirement reads, “Implement a DMZ to limit inbound traffic to only system components that provide authorized
publicly accessible services, protocols, and ports.”?

Answer 22

1.3.1

The testing procedure is:
1.3.1.a - Examine firewall and router configurations to verify that a DMZ is implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports

Question 23

Which sub-sub-requirement reads,”Limit inbound internet traffic to IP addresses within the DMZ.”?

Answer 23

1.3.2

The testing procedure is:
1.3.2.a - Examine firewall and router configurations to verify that inbound internet traffic is limited to IP addresses within the DMZ

Question 24

Which sub-sub-requirement reads, “Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.”?

Answer 24

1.3.3

The testing procedure is:
1.3.3.a - Examine firewall and router configurations to verify that anti-spoofing measure are implemented, for example internal addresses cannot pass from the internet into the DMZ

Question 25

Which sub-sub-requirement reads,”Do not allow unauthorized outbound traffic from the cardholder data environment to the internet.”?

Answer 25

1.3.4

The testing procedure is:
1.3.4.a - Examine firewall and router configurations to verify that outbound traffic from the CDE to the internet is explicitly authorized

Question 26

Which sub-sub-requirement reads, “Permit only ‘established’ connections into the network.”?

Answer 26

1.3.5

The testing procedure is:
1.3.5.a - Examine firewall and router configurations to verify that the firewall permits only established connections into the internal network and denies any inbound connections not associated with a previously established session.

Question 27

Which sub-sub-requirement reads, “Place system components that store cardholder data in an internal network zone, segregated from the DMZ and other untrusted networks.”?

Answer 27

1.3.6

The testing procedure is:
1.3.6.a - Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.

Question 28

Which sub-sub-requirement reads, “Do not disclose private IP addresses and routing information to unauthorized parties.”?

Answer 28

1.3.7

The two testing procedures are:
1.3.7.a - Examine firewall and router configurations to verify that methods are in place to prevent the disclosure of private IP addresses and routing information from the internal networks to the internet.