Which control is established and implemented under 8.2.3?

This item tests establishing and implementing security configuration standards for network devices that protect cardholder data. PCI DSS requires documenting how security devices like firewalls and routers should be configured and then putting those standards into practice. Having formal configuration standards ensures consistency across devices, reduces the chance of insecure setups, and helps keep the network perimeter and internal segments protected from unauthorized access. For example, it covers decisions about which ports and protocols are allowed, how rules are defined and reviewed, and how changes are tracked and enforced. The other options don’t focus on configuring network devices: a password policy relates to authenticating users, a data retention policy concerns data storage timelines, and physical security procedures address protecting hardware rather than configuring network controls.