Which statement restricts inbound and outbound traffic to only what is necessary for the cardholder data environment, and denies all other traffic?

• A. Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
• B. Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
• C. Prohibit direct public access between Internet and CDE.
• D. Limit inbound Internet traffic to IP addresses within the DMZ.

Answer: (A)

The main idea is enforcing a deny-by-default policy for network traffic to the cardholder data environment, allowing only what is necessary and blocking everything else. This is the strongest, clearest way to implement the least-privilege principle at the network level.

This statement captures that approach: you restrict inbound and outbound traffic to only what is necessary for the cardholder data environment to function, and you explicitly deny all other traffic. That explicit denial of everything not needed is the essence of a robust firewall rule set and aligns with PCI DSS guidance to tightly control connections to the CDE.

Other options touch on important protections—limiting connections from untrusted networks, avoiding direct public Internet access to the CDE, and restricting inbound Internet traffic to DMZ IPs—but they don’t state the universal deny-all, allow-just-what’s-necessary principle as clearly or comprehensively.