IT-6 Standard for Configuration of Routers and Firewalls on Networks Processing Cardholder Data

In this article


This document establishes a formal standard for installation and configuration of firewalls and routers within Cardholder Data Environments and outlines the related requirements specified in the Payment Card Industry Data Security Standards (PCI DSS) that must be implemented into all UMD network infrastructures that are processing cardholder data.


Additional authority

The following standards help guide the content of this document: Payment Card Industry Data Security Standard - Requirement 1.



This standard applies to all UMD IT elements that are attached to a Cardholder Data Environment network. All systems processing cardholder data full Primary Account Number or full PAN plus any of the following: Cardholder name, expiration date, service code, information from magnetic strip or card chip, and/or Personal Identification Number must only be connected to a designated CDE network. 



It is critical to design and maintain a secure network infrastructure where cardholder data can be processed and stored. The requirements in this standard cover the configuration of the routers and firewalls used to protect the CDE.

NOTE: As a general rule, every PCI Standard should be reviewed annually and updated as needed to reflect changes to business objectives or the risk environment.