Which statement prohibits unauthorized outbound traffic from the cardholder data environment to the Internet?

• A. Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
• B. Limit inbound Internet traffic to IP addresses within the DMZ.
• C. Install perimeter firewalls between wireless networks and the cardholder data environment.
• D. Implement anti-spoofing measures to detect forged IP addresses.

Answer: (A)

Controlling outbound connections from the cardholder data environment is essential to prevent data leakage. PCI DSS emphasizes preventing unauthorized data exfiltration, and having a clear rule to block outbound traffic that isn’t authorized gives you a enforceable control you can implement with egress filtering and firewall rules. The statement that directly prohibits unauthorized outbound traffic from the cardholder data environment to the Internet expresses this need in a concrete, actionable way, making it the strongest option for preventing data from leaving the CDE without proper authorization. The other measures—restricting inbound traffic, placing a firewall between wireless networks and the CDE, and using anti-spoofing—address related security concerns but do not directly establish a preventive outbound restriction.