Which statement addresses documentation and business justification and approval for use of all services, protocols, and ports allowed?

• A. Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
• B. Documentation and business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
• C. Prohibit direct public access between Internet and any system component in the cardholder data environment.
• D. Limit inbound Internet traffic to IP addresses within the DMZ.

Answer: (B)

The main idea here is governance and change control over what services, protocols, and ports are allowed in the environment. The best statement explicitly requires documenting the business justification and obtaining formal approval for every service, protocol, and port that is allowed, and it also calls for documenting the security features in place for protocols that are considered insecure. This creates an auditable process: you only enable what has a documented business need, and you address the risks of insecure protocols with stated security controls. That combination—approval, justification, and documented mitigations—directly addresses how permissions for network services should be managed, which is essential for PCI compliance.

The other options describe protective network configurations (restrict connections, prohibit direct Internet access, limit inbound traffic to a DMZ) but they don’t emphasize the documented business justification and approval process for all allowed services and protocols, which is what this item is testing.