PCI DSS 1.4.2: Restrict Inbound Traffic from Untrusted Networks
PCI DSS 1.4.2 requires that inbound traffic from untrusted networks to your trusted networks be restricted to established connections only. This control is fundamental to network segmentation and prevents unauthorized access to cardholder data environments. Properly implementing traffic restrictions reduces your attack surface and demonstrates a mature security posture to auditors.
What this means
This control mandates that your network infrastructure only permits inbound connections from external or untrusted sources when those connections are part of an explicitly established and authorized communication session. In practice, this means configuring firewalls, routers, and network access controls to allow inbound traffic only for known, documented business purposes—such as customer-facing web applications or payment processing endpoints—while blocking all unsolicited or unauthorized inbound attempts. Established connections typically refer to stateful firewall rules that recognize return traffic from legitimate outbound connections your systems initiated.
How to comply
- 1.Document all inbound traffic flows required for business operations, including source IP ranges, destination systems, ports, and protocols
- 2.Configure firewall rules to allow inbound traffic only for documented, authorized business connections
- 3.Implement stateful inspection to permit only traffic that is part of established connections initiated from within your network
- 4.Restrict inbound access to cardholder data environment systems to only necessary entry points and administration channels
- 5.Apply the principle of least privilege—deny by default and explicitly allow only required inbound connections
- 6.Review and test firewall rules quarterly to ensure they reflect current business needs and remove obsolete rules
- 7.Monitor inbound traffic logs to detect and alert on unauthorized connection attempts
Evidence auditors look for
- Firewall configuration documentation showing inbound rules restricted to established connections
- Network diagram identifying trusted and untrusted network boundaries
- Firewall rule audit logs demonstrating blocked inbound traffic from untrusted sources
- Access control lists (ACLs) on routers and switches limiting inbound traffic by source, destination, and port
- Intrusion detection/prevention system (IDS/IPS) logs showing detection of unauthorized inbound attempts
- Change management records documenting firewall rule modifications and business justifications
- Quarterly firewall rule reviews with sign-off confirming all inbound rules remain necessary
- Network segmentation documentation showing established connection policies between network zones
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and maps all inbound firewall rules across your infrastructure, highlights rules that don't restrict to established connections, and generates quarterly compliance evidence reports—eliminating manual firewall audits for PCI DSS 1.4.2.
See how GRCWatch handles this control automatically
Start free trial