Hello all,
I am tightening up security per PCI requirements. This is the specific requirement I'm working on:
1.3.5 Is outbound traffic from the cardholder data environment to the Internet explicitly authorized.
I think this means I need to lock down the API server to allow outbound traffic only to the Element IP address. Am I missing anything as to outbound traffic needs for the API server? And the payment gateway is communicating through the API so that would not be connecting directly to the Internet, right? Web server is in a DMZ with explicit permissions for the API server.
Appreciate your help!
Gloria
I was under the impression that the Payment Gateway service was the one connecting to Element over the internet. And your PGS is supposed to reside on a server that doesn't serve web requests so that you don't have any authorization traffic going through a node that is accessible to the wider internet.