1.3.3

1.3.3  ::  Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment.

This is similar to 1.3.2 except they are applying the rule to the whole network.