Firewall review for PCI DSS
PCI DSS is explicit: firewall rule sets must be reviewed at least every six months, and the cardholder data environment must be segmented. FirewallScan automates and documents both.
What PCI DSS expects from your firewall
PCI DSS Requirement 1 governs network security controls. It requires that firewall and router rule sets be reviewed at least once every six months, that the review be documented, and that the cardholder data environment (CDE) be properly segmented from other networks.
It also expects rule sets to follow least privilege — only the access necessary for business should be permitted, and everything else denied. Few requirements in PCI DSS are as concrete as the firewall review mandate.
- Firewall/router rule sets reviewed at least every six months
- Review documented and retained
- Cardholder data environment segmented and least-privilege
Why PCI DSS firewall review is non-negotiable
Requirement 1 is one of the most prescriptive in PCI DSS, and assessors check it closely.
Six-month review
A documented rule-set review at least every six months is a hard requirement, not a recommendation.
Segmentation
The CDE must be isolated; weak segmentation can pull your entire network into scope.
Least privilege
Rule sets must permit only necessary traffic, with explicit deny for everything else.
How FirewallScan helps
Meet the six-month review with evidence to spare
FirewallScan automates the firewall rule-set review PCI DSS requires and produces a documented report each time — so satisfying the six-month mandate becomes effortless, and you can review far more often.
It surfaces overly permissive rules and weak segmentation around the cardholder data environment, helping you keep the CDE isolated and least-privilege between assessments.
- Documented rule-set reviews that satisfy the six-month requirement
- Segmentation and least-privilege gaps around the CDE surfaced
- Run between assessments to stay continuously compliant
Frequently asked questions
See FirewallScan on your own configuration
Book a 30-minute demo and watch FirewallScan analyze a FortiGate config in minutes — prioritized findings, remediation steps and an executive-ready report.