PCI DSS 1.4.5: Limit Disclosure of Internal IP Addresses
PCI DSS 1.4.5 requires you to control who can access information about your internal IP addresses and network routing. Uncontrolled exposure of this data creates reconnaissance opportunities for attackers. This control strengthens your network security posture by ensuring only authorized parties understand your internal infrastructure.
What this means
Your organization must restrict visibility and disclosure of internal IP addresses, routing information, and related network topology details. Only individuals with a legitimate business need—such as network administrators, authorized vendors, or compliance auditors—should have access to this sensitive infrastructure data. This includes preventing accidental exposure through documentation, support tickets, error messages, or public-facing systems.
How to comply
- 1.Document which roles and individuals require access to internal IP addressing schemes and network routing details
- 2.Implement access controls limiting network documentation and diagrams to authorized personnel only
- 3.Configure systems to avoid disclosing internal IP addresses in error messages, logs, or external responses
- 4.Train employees on not sharing network topology information in emails, calls, or external communications
- 5.Restrict third-party vendor access to internal IP information through formal agreements and need-to-know provisions
- 6.Audit and monitor access to network documentation and infrastructure diagrams regularly
- 7.Remove or mask internal IP addresses from any publicly available systems, websites, or customer-facing applications
Evidence auditors look for
- Access control matrix showing who has authorization to view network topology and IP addressing documentation
- Configuration screenshots showing systems configured to suppress internal IP disclosure in error messages
- Network documentation access logs demonstrating restricted availability
- Vendor agreements with clauses limiting disclosure of network infrastructure information
- Security awareness training records covering IP address confidentiality policies
- Audit logs showing periodic review of network documentation access
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks access to network documentation repositories and flags unauthorized access patterns, reducing manual auditing for this control while maintaining an audit trail of who viewed sensitive IP information.
See how GRCWatch handles this control automatically
Start free trial