PCI DSS 4.0 Requirement 1: How to Install and Maintain Network Security Controls
Mastering PCI DSS 4.0 Requirement 1: Network Security Controls for Modern Compliance

Below is a detailed exploration of everything you need to know about PCI DSS 4.0’s first requirement, complete with practical guidance, real-world examples, and a look at end-of-life (EOL) software considerations.
Table of Contents
- Introduction to PCI DSS 4.0 Requirement 1
- Why Network Security Controls Matter
- The Shift from Firewalls to “Network Security Controls”
- Core Responsibilities Under Requirement 1
- Building a Compliant Network Security Frameworksome text
- 5.1 Document Everything
- 5.2 Enforce Segmentation
- 5.3 Adopt Secure Configurations
- 5.4 Cloud-Specific Considerations
- Ongoing Maintenance and Monitoring
- Real-World Examples of Network Security Missteps
- How EOL Software Impacts Requirement 1
- Key Takeaways and Next Steps
- Frequently Asked Questions
1. Introduction to PCI DSS 4.0 Requirement 1
Under PCI DSS 3.2.1, Requirement 1 was titled “Install and Maintain a Firewall Configuration to Protect Cardholder Data.” In PCI DSS 4.0, this concept is broadened to “Install and Maintain Network Security Controls,” reflecting the reality that security goes well beyond traditional, on-premise firewall appliances.
Who Does Requirement 1 Affect?
- All merchants and service providers—whether operating entirely on-premises, in the cloud, or hybrid.
- Teams responsible for network architecture, firewall management, and overall IT security.
- Third-party providers who may handle or influence network traffic flows into or out of the Cardholder Data Environment (CDE).
Goal of Requirement 1: Ensure that all networks handling payment card data are protected from unauthorized access and malicious traffic.
2. Why Network Security Controls Matter
Network security controls create a defensive layer that prevents attackers from gaining easy entry to systems storing or transmitting cardholder data. In many high-profile breaches, the root cause was a poorly configured network that allowed lateral movement across the environment, letting attackers gain access to sensitive data undetected.
Key Benefits of Strong Network Security Controls
- Reduced Attack Surface: Only explicitly approved traffic can enter or exit the CDE.
- Regulatory Compliance: Meets PCI DSS, GDPR, and other security frameworks’ requirements for perimeter and segmentation controls.
- Enhanced Visibility: Robust documentation and regular reviews provide a clear picture of what’s flowing in and out of your environment.
3. The Shift from Firewalls to “Network Security Controls”
In previous PCI DSS versions, “firewalls” were the focal point. Now, the standard recognizes that security extends to cloud security groups, container orchestration frameworks, and virtualized network environments.
What Does “Network Security Controls” Mean?
- Traditional Firewalls & Routers: On-prem hardware or virtual appliances controlling traffic flow.
- Cloud Security Groups & NSGs: AWS, Azure, GCP equivalents of firewalls.
- Intrusion Detection/Prevention Systems (IDS/IPS): Monitoring or blocking suspicious network behavior in real time.
- Software-Defined Networking (SDN): Segmentation and policy-driven traffic control for containerized or virtual environments.
This broad approach ensures the standard aligns with modern infrastructure, where perimeters are often fluid.
4. Core Responsibilities Under Requirement 1
Requirement 1 in PCI DSS 4.0 mandates that organizations must:
- Establish Secure Network Configurations
- Limit connections from untrusted networks.
- Define clear rules for inbound and outbound traffic.
- Document All Rules and Justifications
- Each rule should have a clear business rationale.
- Regularly review and remove obsolete or unused entries.
- Segment the Cardholder Data Environment (CDE)
- Isolate systems handling cardholder data from the rest of the network.
- Monitor and Maintain
- Keep all network security controls patched and monitored for suspicious events.
5. Building a Compliant Network Security Framework
5.1 Document Everything
- Network Diagrams: Include subnets, firewalls, routers, load balancers, cloud security groups—anything that processes or routes cardholder data.
- Data Flow Diagrams: Show how cardholder data enters and leaves your systems, identifying potential vulnerabilities or choke points.
- Rule Base Documentation: For each firewall rule or cloud ACL (Access Control List), record the source, destination, port, protocol, business purpose, and approval date.
Tip: Whenever you add or remove a rule, update your diagrams. PCI auditors (or QSAs) will check for consistency between your policies and actual configurations.
5.2 Enforce Segmentation
- CDE vs. Non-CDE: Only systems directly involved in card data processing should reside in the CDE. All others belong in segregated subnets.
- VLANs, Subnets, or VPCs: A distinct zone for each environment, with strict rules controlling traffic between them.
- Secure Management Network: Administrators should connect via dedicated management networks or jump boxes to minimize the risk of credential compromise.
Tip: Proper segmentation often lowers compliance costs because fewer systems are in scope.
5.3 Adopt Secure Configurations
- Default “Deny All” Posture: Block all inbound and outbound traffic by default, then add only what’s needed.
- Least Privilege Traffic Rules: If a server needs only HTTPS (443) and SSH (22), restrict everything else.
- Automated Configuration Checks: Tools like Chef, Puppet, or Ansible help maintain consistent, secure baseline settings.
5.4 Cloud-Specific Considerations
- Security Groups & Network Security Groups: Align rule names and descriptions with your PCI documentation for easy auditing.
- Multi-Cloud Management: Keep consistent policies across AWS, Azure, GCP, etc., to ensure uniform security controls.
- Serverless & Containers: Even if you run microservices or serverless functions, secure the ingress points (API gateways, load balancers, etc.).
Tip: Enable flow logs (e.g., AWS VPC Flow Logs, Azure NSG Flow Logs) for real-time visibility into traffic patterns.
6. Ongoing Maintenance and Monitoring
Network security isn’t a one-and-done exercise. PCI DSS 4.0 stresses continuous oversight:
- Regular Rule Audits: At least quarterly, verify every firewall rule is still needed. Remove stale entries promptly.
- Immediate Patch Application: Keep firmware and software updated for routers, firewalls, and any network appliance.
- Alerting & Incident Response: Integrate logs with a SIEM to identify suspicious traffic, repeated access attempts, or abnormal packet flows in real time.
7. Real-World Examples of Network Security Missteps
Example 1: Open RDP Port (3389)
An organization left RDP open to the internet. Attackers brute-forced credentials, pivoted through the environment, and stole unencrypted card data.
Lesson: Never expose RDP or similar management services to the public internet; use a secure tunnel or VPN.
Example 2: Forgotten Test Environment
A developer’s staging environment had default credentials and was inadvertently exposed. Attackers scanned it, gained root privileges, and stole database backups.
Lesson: Every environment, including test/staging, must follow the same security rules.
8. How EOL Software Impacts Requirement 1
End-of-life (EOL) software is no longer supported by its vendor, meaning no new patches or security updates. When your network devices, firewall operating systems, or routers are EOL:
- Unpatched Vulnerabilities: Well-known exploits remain open, inviting attackers to breach your network perimeter.
- Compliance Issues: PCI DSS requires all systems to be secure and up to date. EOL software fails that test.
Action Step: Create an EOL software inventory. Replace or upgrade outdated firmware or operating systems to maintain a secure perimeter.
9. Key Takeaways and Next Steps
- Map and Document Thoroughly: Understand exactly how data flows and how your network is segmented.
- Segment and Lock Down: Enforce a least privilege “deny by default” approach.
- Stay Up to Date: Patch and upgrade firmware or network OS frequently; retire EOL products.
- Continuous Monitoring: Incorporate daily logs, real-time alerts, and quarterly rule reviews.
- Plan for the Future: PCI DSS 4.0 is about continuous security. Make sure your network evolves with business needs without leaving compliance gaps.
Looking Ahead: Requirement 1 forms the bedrock for the rest of PCI DSS 4.0. When your network is secured and clearly documented, it’s far easier to tackle data protection, secure software development, and other aspects of the standard.
10. Frequently Asked Questions
Q1. How often should I review firewall or router configurations?
PCI DSS 4.0 suggests quarterly reviews or after any significant infrastructure changes to keep rule sets accurate and minimize risk.
Q2. Is segmentation mandatory if my entire environment handles card data?
While not explicitly mandated, segmentation can drastically reduce the number of systems in scope. Many companies adopt it for both security and cost efficiency.
Q3. Are web application firewalls (WAFs) included in Requirement 1?
They can be. A WAF is considered a specialized form of network security control, especially relevant if you process card data through web apps or APIs.
Q4. How does cloud computing change Requirement 1?
The fundamental principles remain the same—control inbound and outbound traffic, document rules, and keep everything patched. But the specifics often shift to security groups, NSGs, and virtual private clouds (VPCs) instead of hardware firewalls.
Q5. Where does HeroDevs fit into this?
HeroDevs can help you retire EOL network components, modernize your infrastructure, and ensure your network security controls align with PCI DSS best practices—especially helpful for legacy environments or those migrating to the cloud.
Conclusion
Requirement 1 of PCI DSS 4.0 ensures you have a robust, well-monitored network perimeter that keeps attackers at bay. By maintaining up-to-date firewalls, security groups, and related controls—and by documenting them diligently—you lay a rock-solid foundation for the rest of your PCI DSS 4.0 compliance journey.
Protecting cardholder data starts at the edges of your environment. Take the time to do it right, and you’ll drastically reduce breach risk while reinforcing customer trust.
.png)