1. Home
2. Listings
3. PCI DSS Requirement 1

Category: PCI DSS Requirement 1

Install and Maintain Network Security Controls

Network policy or rule enforcement points are known as Network Security Controls (NSCs). Examples of these are firewalls (software or hardware) and other network security technologies that control network traffic between two or more logical or physical network segments.

All network traffic entering and leaving a segment is analyzed by NSCs, which decide, in accordance with the established policies or rules, whether the network traffic should be allowed to pass or be rejected. NSCs are typically placed between environments with differing levels of trust or security for the underlying assets within the respective environments. Newer NSCs often make policy decisions based on data at higher layers, although generally policy enforcement typically takes place at layer 3 of the OSI model.

Historically, physical firewalls have performed this function. In recent times, however, cloudy environments are common with virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technologies often now provide this functionality.

NSCs are used to protect an organization’s resources from being exposed to untrusted networks and to control traffic within the organization’s own networks, such as between areas of high sensitivity and less sensitivity. Within a PCI environment, an organization’s network containing cardholder data or the Cardholder Data Environment (CDE) is an example of a more sensitive area. Unsecured entry points into sensitive systems can frequently be found on seemingly insignificant routes to and from untrusted networks. NSCs are an essential security component and safeguard for any computer network.

The Internet, dedicated connections like business-to-business communication channels, wireless networks, carrier networks like cellular, third-party networks, and other sources that the entity undergoing PCI DSS compliance cannot control, are all examples of untrusted networks. In addition, corporate networks that are not subject to PCI DSS assessment are included in the category of untrusted networks and must be treated as such because the existence of security controls has not been confirmed. From an infrastructure perspective, an organization may consider an internal network to be trustworthy; however, a network that is not covered by PCI DSS must be regarded as untrustworthy.