GRCWatch
Sign inStart free trial

PCI DSS 1.3.2: Restricting Outbound Traffic from Your CDE

Outbound traffic from your cardholder data environment (CDE) is a critical attack vector that must be tightly controlled. PCI DSS 1.3.2 requires organizations to allow only necessary outbound connections, preventing data exfiltration and unauthorized communications. Implementing proper egress filtering protects sensitive payment data and reduces your compliance risk.

What this means

This control requires you to establish and enforce rules that permit only essential outbound traffic from systems within your cardholder data environment. Rather than allowing all outbound connections by default, you must implement a whitelist approach where only approved destinations, protocols, and ports are permitted. This prevents compromised systems from exfiltrating cardholder data or communicating with command-and-control servers.

How to comply

  1. 1.Document all legitimate outbound traffic flows required by applications and services within the CDE
  2. 2.Implement firewall rules and network segmentation to block all outbound traffic except explicitly approved connections
  3. 3.Use stateful inspection and application-layer filtering to monitor protocol-specific traffic patterns
  4. 4.Establish a change management process for approving new outbound traffic requirements
  5. 5.Test egress controls regularly to verify that only whitelisted traffic is permitted
  6. 6.Monitor and log all outbound connection attempts, including blocked connections

Evidence auditors look for

  • Documented network diagram showing CDE segmentation and outbound traffic flows
  • Firewall configuration files with explicit deny-all rules and specific allow rules for approved traffic
  • Application inventory with corresponding outbound requirements (IP addresses, ports, protocols)
  • Network monitoring and packet capture logs showing allowed vs. blocked egress attempts
  • Change management records for outbound rule modifications
  • Vulnerability scan results confirming no unauthorized outbound channels exist

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically maps your network architecture, identifies all CDE outbound connections, and generates firewall rule recommendations to prove compliance with 1.3.2—eliminating manual traffic discovery.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 1.3.1 - Inbound Traffic RestrictionsPCI DSS 1.1 - Firewall Configuration StandardsPCI DSS 1.2.1 - Documented Firewall ArchitecturePCI DSS 2.2.4 - Service Configuration HardeningPCI DSS 10.2.5 - Log Access to Audit Trails