Compliance

Firewall review for PCI DSS

PCI DSS is explicit: firewall rule sets must be reviewed at least every six months, and the cardholder data environment must be segmented. FirewallScan automates and documents both.

firewallscan.eu/analysis
What the standard requires

What PCI DSS expects from your firewall

PCI DSS Requirement 1 governs network security controls. It requires that firewall and router rule sets be reviewed at least once every six months, that the review be documented, and that the cardholder data environment (CDE) be properly segmented from other networks.

It also expects rule sets to follow least privilege — only the access necessary for business should be permitted, and everything else denied. Few requirements in PCI DSS are as concrete as the firewall review mandate.

  • Firewall/router rule sets reviewed at least every six months
  • Review documented and retained
  • Cardholder data environment segmented and least-privilege
Why it matters

Why PCI DSS firewall review is non-negotiable

Requirement 1 is one of the most prescriptive in PCI DSS, and assessors check it closely.

Six-month review

A documented rule-set review at least every six months is a hard requirement, not a recommendation.

Segmentation

The CDE must be isolated; weak segmentation can pull your entire network into scope.

Least privilege

Rule sets must permit only necessary traffic, with explicit deny for everything else.

How FirewallScan helps

Meet the six-month review with evidence to spare

FirewallScan automates the firewall rule-set review PCI DSS requires and produces a documented report each time — so satisfying the six-month mandate becomes effortless, and you can review far more often.

It surfaces overly permissive rules and weak segmentation around the cardholder data environment, helping you keep the CDE isolated and least-privilege between assessments.

  • Documented rule-set reviews that satisfy the six-month requirement
  • Segmentation and least-privilege gaps around the CDE surfaced
  • Run between assessments to stay continuously compliant
firewallscan.eu/analysis

Frequently asked questions

See FirewallScan on your own configuration

Book a 30-minute demo and watch FirewallScan analyze a FortiGate config in minutes — prioritized findings, remediation steps and an executive-ready report.