What do the firewall standards require per 1.1.4?

• A. A requirement to disable DMZ.
• B. A requirement to encrypt firewall config only.
• C. A requirement that firewalls be optional.
• D. Requirements for a firewall at each internet connection & between any DMZ & the internal network zone.

Answer: (D)

The main idea is that firewall boundaries must exist to protect the cardholder data environment by strictly controlling traffic between trusted internal networks and external, untrusted networks. The standard requires a firewall at each Internet connection point and a boundary between any DMZ and the internal network zone. This creates a protective buffer: Internet-facing services live in the DMZ, but access from the DMZ into the internal network is tightly regulated, with only the necessary ports and protocols allowed and thorough logging and monitoring in place. This separation minimizes exposure if a service in the DMZ is compromised and helps limit any breach to a smaller segment of the network.

Disabling the DMZ, encrypting only the firewall configuration, or making firewalls optional would weaken this boundary and defeat the purpose of segmentation and controlled access.