Book a demo Start free
PCI DSS · Compliance

A firewall built for PCI DSS — checked on every rule change.

PCI DSS Requirement 1 is firewall rules: restrict traffic to and from the cardholder-data environment, default-deny everything else, and control every change. Enforza ships a bundled PCI DSS v4 pack and checks each policy change against it — advising or blocking a rule that would break a control before it ever reaches a firewall.

Start free Book a demo

Enforza helps you meet the firewall-rule requirements of PCI DSS and evidences them. It is not a full GRC platform or a QSA — PCI DSS covers far more than network controls.

Requirement 1

What PCI DSS asks of your firewall rules

Requirement 1 of PCI DSS v4 — network security controls — is the part of the standard a firewall actually owns. Here is what it asks, and the Enforza control that lines up with it.

  • Req 1.2 / 1.3

    Restrict traffic to and from the CDE

    Inbound and outbound traffic to the cardholder-data environment must be restricted to what is necessary. Enforza policies default-deny on every section, with explicit allows you scope by network, port and hostname — and a guardrail flags any rule that opens broad access to a CDE network.

  • Req 1.3.1

    No direct public inbound to the CDE

    Inbound traffic from untrusted networks to system components in the CDE must be limited. A guardrail catches an inbound allow from 0.0.0.0/0 that has no hostname or restricted source — advise it, or block the publish in enforce mode.

  • Req 1.3.2

    Restrict outbound from the CDE

    Outbound traffic from the CDE must be explicitly authorised. Broad egress to 0.0.0.0/0 is scoped with an L7 (FQDN / SNI) matcher rather than a bare-port passthrough, so a guardrail can require every wide egress rule to name where it is allowed to go.

  • Req 1.2.1

    Document and approve every ruleset change

    Firewall and router configuration changes must be formally approved. Run Enforza as policy-as-code through a pipeline, or in the console — either way every change is checked against the attached PCI DSS pack, and the result is recorded as an audit event you can show an assessor.

  • Req 1.4

    Control connections between trust zones

    Connections between trusted and untrusted networks must be controlled. East-west and north-south rules sit in the same policy model, so the same default-deny posture and the same guardrails apply to lateral movement, not just the perimeter.

Requirement numbers reference PCI DSS v4.0. Enforza maps to the network-security-control obligations; the rest of the standard is outside a firewall's scope and is marked accordingly in the control catalogue.

How it works

Attach the pack. Advise, then enforce. Evidence everything.

The PCI DSS v4 pack is one of 25 bundled framework packs covering 210 firewall-applicable controls. Attach it to the policy that governs your CDE and every change is checked.

  1. Attach the PCI DSS v4 pack

    PCI DSS v4 ships as one of 25 bundled framework packs. Attach it to the policy that governs your CDE — whole pack, or cherry-pick the Requirement 1 controls that map to firewall rules.

  2. Advise while you tighten, enforce when you're ready

    Run the pack in advise mode to surface violations without blocking, bring your rules into line, then switch to enforce so a rule that breaks a control is rejected before any firewall sees it.

  3. Evidence every check

    Every check, every advise warning and every enforce block is recorded. When your QSA asks how ruleset changes are controlled, you show what was evaluated, what failed, and that the failing change never reached production.

See all 25 frameworks How it deploys
And it costs less

PCI-ready, without the cloud-firewall tax

A PCI-scoped network usually means a managed firewall plus a NAT gateway — two per-hour fees (often duplicated per Availability Zone) plus two per-GB data-processing meters. Enforza is one flat-priced appliance.

Flat per firewall

£179/month per firewall (£149 from your sixth), plus the VM you run it on. No per-GB data-processing charge — the bill stops scaling with traffic.

Typically 60–80% less

Against a cloud-native firewall stacked with a NAT gateway at modest egress, the flat line is usually 60–80% cheaper — and the gap widens as traffic grows.

No add-on for compliance

The PCI DSS pack and advise-or-enforce guardrails are part of the platform. There is no separate compliance SKU and no per-control charge.

Estimate your savings Compare to AWS Network Firewall
FAQ

PCI DSS firewall — common questions

Is Enforza a PCI compliant firewall?

Enforza is a firewall that helps you meet the firewall-rule requirements of PCI DSS — primarily Requirement 1 (install and maintain network security controls). It ships a bundled PCI DSS v4 pack and checks every policy change against it, advising or blocking rules that would break a control. It does not make your whole organisation PCI compliant: PCI DSS covers far more than network controls (encryption, key management, logging, access management, physical security), and compliance is assessed by a QSA or via SAQ. Enforza covers the network-security-control slice and gives you the evidence for it.

What does PCI DSS require of a firewall?

PCI DSS Requirement 1 (v4: network security controls) requires that you restrict inbound and outbound traffic to and from the cardholder-data environment to only what is necessary, deny everything else by default, prohibit direct public access to CDE systems, control connections between trusted and untrusted networks, and formally approve and document every ruleset change. Enforza's policies are default-deny with explicit, scoped allows, and its guardrails check each of those obligations against the PCI DSS v4 pack on every change.

How does Enforza help with PCI DSS Requirement 1?

You attach the bundled PCI DSS v4 pack to the policy governing your CDE. On every policy change — whether published from a GitHub pipeline or the console — Enforza checks the rules against the pack's Requirement 1 controls: default-deny sections, no unscoped public inbound, scoped (FQDN/SNI) egress, and controlled trust-zone connections. Violations are advised or, in enforce mode, blocked before the rule reaches a firewall, and each result is recorded as an audit event.

Does Enforza scope my CDE for me?

No — you define which networks are in scope. Enforza enforces the rules you write with a default-deny posture and checks them against the PCI DSS pack, but segmentation scoping is your design decision. What Enforza gives you is confidence that the rules around the CDE stay default-deny and explicitly scoped, and that any change loosening them is caught before it ships.

Can I prove ruleset change control to my QSA?

Yes. Every compliance check is recorded — the controls evaluated, what passed, what was advised, and any enforce block that rejected a change before it reached a firewall. That gives you a defensible record of how firewall-ruleset changes are controlled and approved, which is exactly what Requirement 1.2.1 asks for. Enforza evidences the network-control changes; it is not a substitute for your overall PCI programme or your QSA assessment.

How much does a PCI-ready firewall from Enforza cost?

Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — plus the VM you run it on, with no per-GB data-processing charge. Against a cloud-native firewall stacked with a NAT gateway (two per-hour fees often duplicated per Availability Zone, plus two per-GB meters), the flat line is typically 60–80% cheaper at modest egress. The PCI DSS pack and advise-or-enforce guardrails are part of the platform, not a paid add-on.

More compliance: Compliance hub · HIPAA firewall · ISO 27001 firewall · NIST firewall rules · Firewall audit & change control · Secure NAT gateway · Savings calculator

Requirement 1, handled.

Stop non-compliant CDE rules before they ship.

A bundled PCI DSS v4 pack, advise-or-enforce on every rule change, and a flat per-firewall price with no per-GB tax. Start free, no card.

Start free See all frameworks