PCI Assessment

NDB Advisory Review of Firewall and Router Rule Sets | PCI DSS Requirement 1.1.6

Review of Firewall and Router Rule Sets | PCI DSS Requirement 1.1.6

Regarding PCI DSS Requirement 1.1.6, "Requirement to review firewall and router rule sets at least every six months", there should be an established policy that states the review is to be conducted, at a minimum, every six months, along with a procedure detailing what exactly is undertaken for the review process. Furthermore, there should be historical documentation in place verifying that the review was conducted by appropriate and authorized personnel, what changes were made, if any, and the business justification for these changes. This can be done by utilizing a change management ticket or some other type of formalized process. This is yet again another example of having documented policies, procedures, and activities in place, complete with supporting documentation illustrating these activities were conducted. Remember, the PCI standards may not always explicitly or directly tell you when and where you need to have documented policies, procedures, processes, or activities in place (PCI DSS Requirement 1.1.6 is a perfect example of this). If unclear, it is best to consult with a PCI Qualified Security Assessor (QSA) or another expert in the PCI Field.

To learn more about the Payment Card Industry Data Security Standards and becoming PCI DSS compliant, please contact NDB, Advisory.

Sample image

Send us an This email address is being protected from spambots. You need JavaScript enabled to view it. or give us a call at (800) 277-5415 x706



  • (800) 277-5415, ext. 706
PCI DSS Compliance Experts


Contact Us