What must be ensured about outbound traffic from the CDE to the Internet?

• A. Outbound traffic from the CDE to the Internet must be explicitly authorized.
• B. Outbound traffic to Internet is allowed by default.
• C. Outbound traffic is not monitored.
• D. Outbound traffic is restricted to port 80 only.

Answer: (A)

Outbound traffic from the CDE must be tightly controlled with explicit authorization before any Internet access is allowed. This follows a deny-by-default approach: the firewall blocks outbound connections unless a specific, approved rule permits them, detailing the destination, port, and protocol. This helps prevent unapproved data exfiltration and ensures that only necessary, auditable connections are allowed, aligning with PCI DSS goals of strong access controls and traceability.

Choosing the other ideas isn’t appropriate because allowing outbound by default would bypass this protection, and treating outbound traffic as unmonitored would ignore the need for ongoing detection and auditing of connections. Limiting to port 80 only is too specific and not universally correct, since many legitimate services require other ports and protocols.