Which sub-requirement comprises PCI DSS Requirement 1.1?

• A. 1.1.3 and 1.1.4
• B. 1.1.1 and 1.1.2
• C. 1.2 and 1.3
• D. 1.1 and 2.1

Answer: (B)

The key idea here is that PCI DSS organizes requirements into sub-requirements that spell out the concrete actions needed to meet each duty. For the first requirement, which centers on protecting the cardholder data environment with firewall configurations, the two sub-requirements together define that scope: you must establish firewall and router configuration standards, and you must implement and maintain those configurations to protect the environment. Put simply, one sub-requirement sets the standards, and the other ensures those standards are actually applied and kept up to date. The other options pull in sub-requirements that belong to different parts of PCI DSS, or mix in items that aren’t part of this initial firewall-focused requirement, so they aren’t the correct pairing for 1.1.