In memoriam requirement 1.3.3

It is rare for the DSS to get smaller, each version typically adds a few requirements based on lessons from forensic investigations of breaches of cardholder data. However, in the summary of changes from version 3.1 to version 3.2 published this week I noticed:

1.3.3: Removed requirement as intent is addressed via other requirements in 1.2 and 1.3.

Perhaps, the resident threnodist at Private Eye (a satirical British newspaper) would mark its passing thus:

So farewell then requirement 1.3.3
“Prevent direct internet connections to the CDE”
was your request

People asked, does that require
a proxy server
or just a firewall?

You inspired
pedantic discussions
on the meaning of “direct”

Although you are gone
Your proxy servers live on

EJ Thribb (17½)

Leave a Reply

Your email address will not be published. Required fields are marked *