Which statement best describes the requirement for mobile devices connecting to the network?

• A. Do not install any firewall on mobile devices.
• B. Firewall settings are irrelevant on mobile devices.
• C. Protect mobile devices only with antivirus.
• D. Install personal firewall software on mobile devices with defined configurations, actively running, and not alterable by users.

Answer: (D)

Enforcing endpoint security for devices that access the cardholder data environment is essential. Mobile devices can connect from various networks, so they must have a firewall that is managed and enforced centrally. Installing personal firewall software with predefined, tested rules, actively running, and not easily altered by users ensures consistent policy application and prevents users from disabling protections. Antivirus alone doesn’t control network traffic or block unauthorized connections, so it doesn’t provide the necessary boundary protection. Leaving out a firewall or treating firewall relevance as optional leaves the environment vulnerable to breaches and data leakage. The described approach creates a controlled, enforceable barrier at the device level, aligning with PCI security expectations for mobile access.