PCI DSS 1.3.1: Restrict Inbound Traffic to Your CDE
Limiting inbound traffic to only necessary connections is a critical firewall control that prevents unauthorized access to your cardholder data environment. PCI DSS 1.3.1 requires you to document and enforce explicit rules that deny all traffic by default, then allow only what's essential for business operations. This zero-trust approach significantly reduces your attack surface and demonstrates due diligence during compliance audits.
What this means
This control mandates that your network infrastructure be configured to deny all inbound traffic to the CDE by default, with explicit exceptions only for traffic required to support legitimate business functions. You must identify every service, port, and protocol needed for cardholder data processing, document the business justification for each, and configure firewalls and network access controls to enforce these restrictions. Traffic that doesn't meet these criteria must be blocked, and any changes to inbound rules require formal change management and documentation.
How to comply
- 1.Conduct a comprehensive inventory of all services, applications, and systems within your CDE that require inbound traffic from untrusted networks
- 2.Document the specific ports, protocols, and IP ranges required for each inbound connection, including business justification
- 3.Configure your network perimeter firewall with a default-deny ruleset, explicitly allowing only documented inbound traffic
- 4.Implement network segmentation to isolate the CDE from non-CDE systems and untrusted networks
- 5.Disable unnecessary services and ports on CDE systems, blocking them at the firewall if not disabled at the application level
- 6.Establish and follow a formal change management process for any modifications to inbound firewall rules
- 7.Review and test firewall rules quarterly to verify they still align with current business needs
- 8.Document all inbound traffic rules in your network diagram and maintain an up-to-date asset inventory
Evidence auditors look for
- Firewall configuration files showing default-deny rules with specific allow exceptions for required inbound traffic
- Network diagram documenting CDE boundaries and all permitted inbound connections with business justification
- Change management tickets approving inbound firewall rule additions or modifications
- Service documentation listing required ports, protocols, and IP ranges for each CDE application
- Firewall logs demonstrating that unauthorized inbound traffic is being blocked
- Quarterly firewall rule review documentation with sign-off from network and security teams
- Access control list (ACL) configurations on routers and switches restricting traffic to CDE
- Penetration test results validating that unnecessary ports and services are not accessible from outside the CDE
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates firewall rule inventory and tracks inbound traffic restrictions across your CDE, eliminating manual spreadsheets and providing audit-ready evidence for quarterly reviews.
See how GRCWatch handles this control automatically
Start free trial