GRCWatch
Sign inStart free trial

PCI DSS 1.4.3: Anti-Spoofing Measures

Source IP spoofing is a common attack vector that allows threat actors to bypass perimeter defenses by masquerading as trusted internal systems. PCI DSS 1.4.3 requires organizations to deploy anti-spoofing mechanisms that prevent forged traffic from entering the trusted network. This control is essential for maintaining network integrity and preventing unauthorized access to cardholder data environments.

What this means

Anti-spoofing measures are security controls that identify and block packets with fraudulent or forged source IP addresses before they can reach your trusted network. These mechanisms verify that incoming traffic originates from legitimate sources by comparing source IP addresses against routing information and network topology. When forged packets are detected, the firewall or intrusion prevention system drops them, preventing attackers from spoofing internal IPs to circumvent access controls.

How to comply

  1. 1.Enable anti-spoofing filtering at your network perimeter and firewall interfaces
  2. 2.Configure Unicast Reverse Path Forwarding (uRPF) on edge routers to validate source IP legitimacy
  3. 3.Deploy ingress filtering to block packets with internal IP addresses arriving from external networks
  4. 4.Monitor inbound traffic for packets claiming to originate from internal subnets and log violations
  5. 5.Test anti-spoofing controls regularly to ensure forged packets are successfully blocked
  6. 6.Document your anti-spoofing configuration, including which routers and firewalls enforce these rules

Evidence auditors look for

  • Firewall configuration files showing anti-spoofing rules enabled on all external-facing interfaces
  • Router logs demonstrating blocked packets with spoofed source IPs
  • uRPF configuration documentation and validation test results
  • Network security policy documenting anti-spoofing requirements and implementation
  • Quarterly penetration test reports showing anti-spoofing controls successfully prevented IP spoofing attacks
  • Change management records for updates to anti-spoofing rules

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically tracks your anti-spoofing firewall configurations, validates ingress filtering rules, and generates compliance evidence for annual PCI audits—eliminating manual log reviews and configuration documentation.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 1.3 — Prohibit Direct Public AccessPCI DSS 1.2 — Build Configuration Standards for FirewallsPCI DSS 6.2 — Security Patches and UpdatesPCI DSS 10.1 — Audit Logging and Monitoring