Blog
PCI
Requirement 1: Establish Secure Firewall Rules

Requirement 1: Establish Secure Firewall Rules

Make sure to choose firewalls that support the necessary configuration options to protect critical systems and provide segmentation between the CDE and other internal and external networks specific to your organization.

Jen Stone
Updated
December 21, 2023
Posted
April 20, 2023
Auditor Tips
Requirement 1: Establish Secure Firewall Rules

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.

Large environments typically have firewalls in place, but they might not be business-grade. Make sure to choose firewalls that support the necessary configuration options to protect critical systems and provide segmentation between the CDE and other internal and external networks specific to your organization.

Smaller organizations sometimes struggle to understand firewalls, not having the necessary in-house expertise to configure and manage them correctly and securely. If this is the case, contract a PCI-validated third-party service provider to provide assistance, rather than simply deploying a firewall’s default configuration and hoping for the best.

It may seem obvious, but leave as few holes as possible in your firewall.

Firewalls are a first line of defense, so pay special attention to the logs and alerts firewalls generate.

It’s best to start by having a block everything mentality, and then add exceptions as needed. PCI DSS requires you to document a valid business justification for any communication allowed to or from the CDE. Spend the time to identify the specific source and destination addresses your systems need to communicate with for a given service or protocol. Don’t just allow all access to the Internet because it’s easier. Along the same lines, if you or any third parties remotely support your environment, limit that inbound access to specific sources and protocols.

Often, the volume of log data can be overwhelming, so some merchants turn logging off or send alert messages directly to the junk bin. It’s important (and required) to review firewall logs daily to identify patterns and activity that indicate attempts to breach security. There are many good software packages available to help you deal with the volume of log data and automate alerts, or you may choose to engage the help of a service provider.

For requirement 1, remember the following:

  • Start with a “block everything” mentality, only opening up what is necessary.
  • Pay attention to what logs tell you.
  • Review firewall configurations frequently and adjust as necessary
Requirement 1

Join Thousands of Security Professionals.

Subscribe Now

Get the Guide To PCI Compliance

Download

Get Quote for PCI Compliance

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000