||Prohibit direct public access between the Internet and any system component in the cardholder data environment.
||Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
||Limit inbound Internet traffic to IP addresses within the DMZ.
||Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.
||Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
||Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
||Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.)
||Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
||Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to:
- Network Address Translation (NAT),
- Placing servers containing cardholder data behind proxy servers/firewalls or content caches,
- Removal or filtering of route advertisements for private networks that employ registered addressing,
- Internal use of RFC1918 address space instead of registered addresses.