Which statement limits inbound Internet traffic to IP addresses within the DMZ?

• A. Limit inbound Internet traffic to IP addresses within the DMZ.
• B. Install perimeter firewalls between all wireless networks and the cardholder data environment.
• C. Do not allow unauthorized outbound traffic from the CDE to the Internet.
• D. Implement anti-spoofing measures to detect forged source IP addresses.

Answer: (A)

Limiting inbound Internet traffic to IP addresses within the DMZ centers on configuring perimeter controls so only traffic destined for DMZ hosts is allowed from the Internet. The DMZ is a buffer zone that hosts services exposed to the public network while keeping the internal network isolated. By restricting inbound connections to the DMZ IPs, you block direct access to internal networks; any external attempts to reach internal systems are dropped at the edge, reducing the threat of compromise spreading inward.

In practice, you implement this with firewall rules at the network edge that permit inbound traffic only to the DMZ addresses and deny other destinations by default. This mirrors PCI DSS guidance to minimize exposure points between the untrusted Internet and the internal environment.

Other options address different security controls (such as separating wireless networks from the cardholder data environment, restricting outbound CDE traffic, or anti-spoofing measures) and do not describe the action of limiting inbound access specifically to DMZ IPs.