Customer must have hardware firewall in place configured to block all unnecessary inbound traffic from the Internet.  Line of business applications requiring external access must be justified in writing.  PCI DSS 1, NIST 3.1.3, 3.1.18, 3.4.2, 3.4.3, 3.4.6, 3.13.1, 3.13.5