PCI DSS 1.4.4: Prevent Direct Access to Cardholder Data Storage
System components storing cardholder data must be isolated from untrusted networks to prevent unauthorized access and data breaches. PCI DSS 1.4.4 requires network segmentation and access controls that shield sensitive payment card information from external threats. This control is foundational to any PCI-compliant payment processing environment.
What this means
This control mandates that any system or server holding cardholder data (full PAN, expiration dates, security codes, or other sensitive authentication data) cannot be directly accessible from the internet or untrusted networks like public Wi-Fi or guest networks. Direct access means attackers cannot reach these components through standard network paths without traversing security layers. You must implement network segmentation, firewalls, and access control lists to enforce this isolation.
How to comply
- 1.Map all systems that store cardholder data and document their network locations
- 2.Implement network segmentation to isolate cardholder data storage from untrusted networks
- 3.Deploy and configure firewalls with explicit deny-all-inbound rules, then whitelist only required traffic
- 4.Disable unnecessary services and ports on systems storing cardholder data
- 5.Use VPNs or encrypted tunnels for any remote access to cardholder data systems
- 6.Regularly test network access controls to verify blocked connections from untrusted sources
- 7.Document all network architecture and access rule changes
Evidence auditors look for
- Network diagrams showing cardholder data systems in isolated DMZ or internal segments
- Firewall configuration files with explicit rules blocking untrusted network access
- Network access control lists (ACLs) limiting inbound connections by IP and port
- Penetration test reports confirming cardholder data systems are unreachable from public networks
- VPN or bastion host configurations for legitimate administrative access
- Port scans from external networks showing blocked access to cardholder data systems
- Change management logs documenting firewall rule updates and network topology changes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically maps and monitors network access to cardholder data systems, flags misconfigured firewall rules, and tracks segmentation changes—turning weeks of manual auditing into automated compliance visibility.
See how GRCWatch handles this control automatically
Start free trial