The starting point when formulating your Payment Card Industry Data Security Standard (PCI DSS) compliance journey’s scope begins with network segmentation. This entails merely creating controls that are focused on your data security needs. For you to meet PCI network segmentation standards, you must first understand the standard’s objectives and purpose.
PCI DSS Network Segmentation
What’s the Cardholder Data Environment (CDE)?
PCI DSS outlines cardholder data (CHD) as any personally identifiable data, which is associated with an individual’s debit or credit card. This definition also includes Primary Account Numbers (PAN’s) as well as service code, cardholder name, expiry date, and any other sensitive card authentication data. Simply put, CDH comprises any information that can be used to either make fraudulent charges to an individual’s card or steal an identity.
The cardholder data environment comprises computers or network systems that are involved in the processing, storage, or transmission of this information. CDH includes related system components such as servers, network devices, computing devices, and applications. These may be virtual components, security services, network components, applications, server types, and anything else that is connected to the CDE. If systems or employees can access CHD, this should be separated from the other aspects of your company.
PCI DSS and Network Segmentation
Network segmentation entails looking at the way information is transmitted via your systems. You should see your CDE as a river, and cardholder data as a canoe navigating the rapids. Rivers typically have multiple access points for boats. Likewise, your network has various data access points. They are just like rivers, which have tributaries connected to them. As long as your CHD can float down a path within your network, there’s a need to either build a dam or protect that tributary.
For instance, connectivity is defined by PCI DSS as being wireless, virtualized, and physical. At any point down that river, CHD can enter. Wireless connectivity can include Bluetooth connections and LANs. Physical connectivity can be USB drives. Virtualized connectivity typically incorporated shared resources including virtual machines and virtual firewalls. It is recommended that you secure these data access point so that CHD isn’t compromised.
How Companies Scope Systems
PCI DSS scoping should entail the critical evaluation of all data access points and tributaries found on your CDE river. PCI DSS assessment begins with the classification of how and where CHD is received. While walking up and down your CDE river’s bank, you must pinpoint all payment channels as well as methods for accepting cardholder data. Thereafter, follow the information journey starting with collection through destruction, disposal, and transfer.
You should also pinpoint and mark our places on your CDE where data is stored, processed, or transmitted. This identification may include understanding not only who handles data, but also how information is processed. You must also document processes and technologies that you have put in place to secure your data environment.
After tracking the flow of information through your network, make sure you incorporate all processes, people, and system components that influence the CDE. This is a crucial step, which differs from the previous one since it requires you to look beyond those who interact with CHD. Instead, you must focus on people and system components that drive your data environment.
Once your data river has been reviewed, you must then create controls for protecting the information. This is just the same way that most rivers feature landings, which are meant to prevent boaters from gaining entrance at certain points. To put this into perspective, controls are essential. Similarly, you must find a way of limiting where crucial information can go, and who can have access to it.
For you to do this, there’s a need to set up the data security version of dams. This may include setting up encryption methods and firewalls. After you have established control, there’s the need to apply it in securing your processes, system components, and personnel. Most importantly, you must monitor controls to ensure that any changes that you make evolve alongside your CDE.
Are there Any Out-Of-Scope Systems?
Out of scope systems are defined by the Payment Card Industry Security Standard Council (PCI SSC) as those without access to CDE systems. Notably, out of scope systems have become rare. PCI SSC stipulates that the system component shouldn’t store, process or even transmit CHD. Similarly, it shouldn’t be connected to any network segments that touch on CHD.
Third-parties and service providers are within the scope of your PCI security standards compliance. They are akin to your river’s forest rangers. By being your business partners, they provide remote services to you. Since they continuously engage with your data environment, they can introduce risks that may compromise CHD. This highlights the significance of participating in third-party monitoring as well as managing your vendor ecosystem.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.