The Latest Network Segmentation Guidance and How It Might Affect Your PCI DSS Scope
Dividing Your Network into Segments May Increase Your System Security
IT leaders continually strive to understand the necessary Payment Card Industry Data Security Standard (PCI DSS) scope and where they need to protect their system from risk and vulnerabilities. If you find yourself regularly scratching your head—or worse, losing sleep at night—worrying over finding ways to protect your valued customers from cyber-attackers, you may appreciate the newly released supplement from the PCI Security Standards Council.
Ending last year with an eye toward improved consumer data security, the PCI Security Standards Council released the long-awaited information supplement called Guidance for PCI DSS Scoping and Network Segmentation on December 30, 2016. This new release may provide you with the strategy you need to thwart hackers’ efforts at trying to breach your computing system to access your consumers’ confidential payment card information.
What Is Network Segmentation?
Network segmentation provides you with a key way to limit your exposure to hackers. Dividing your network into distinct sections, separating your credit card data—including processing, transmission, and storage of that data—from all other computing processes is network segregation.
While this update is not a specific PCI DSS requirement, it is highly recommended by the PCI Security Standards Council. In spite of that, many CISOs and other IT professionals have anticipated the guideline’s release due to its promise in protecting consumer data. Network segmentation is extremely appealing to merchants who want to reduce their PCI scope.
Who Benefits from the Adoption of Network Segmentation?
If you want to better understand scoping and segmentation principles within a PCI DSS environment, then you’re the target audience for this update. Whether your organization is small or large, network segmentation recommendations are easily applied. These new guidelines offer a clear method for facilitating useful discussions between various entities, including:
- Merchants, service providers, issuers, and other parties responsible for meeting PCI DSS requirements for their businesses.
- Assessors who include outside quality assurance assessors or internal security assessors.
- Acquirers evaluating merchants’ or service providers’ PCI DSS reports regarding compliance and self-assessments.
- Official PCI Forensic Investigators (PFI) performing official investigations.
- Consumers who entrust their data to merchants and other service providers.
Terminology to Assist CISOs and IT Teams Implementing Network Segmentation
As with any new process, it helps to understand all the relevant terminology. Following are a few terms that will help your IT team seamlessly approach network simulation.
- Cardholder Data Environment (CDE). CDEs encapsulate all the physical and virtual components where data resides, including network components like firewalls and routers, point-of-sale (POS) systems like cash registers and card readers, servers that include database and application servers, internal and external applications, and third-party systems.
- Cardholder Data (CHD). CHD refers to any personally identifiable information (PII) connected to the person responsible the credit or debit card.
- Sensitive Authentication Data (SAD). SAD is the information on the credit or debit card that provides added security, like the unique 3-digit security pin number.
- Account Data. Account data is the combined or individual cardholder data and sensitive authentication data.
Just What Is Scoping and Segmentation for PCI DSS?
At the higher levels of data management, scoping is defined as the ability to define people, processes, and technologies that interact with, and possibly impact, the security of CHD. Segmentation allows for the implementation of logical or physical controls—or a combination of both types of controls—to separate systems with distinct purposes and different security needs. By minimizing the scope, thereby reducing the number of systems under your IT team’s care, segmentation allows you to manage more specific computing environments. Such segmentation ideally makes it easier to spot anomalies within each distinct network.
One approach to network segmentation involves the use of firewalls or unique routing configurations to block traffic from passing over to out-of-scope networks and other subsystems. While you will create unique and isolated network sections, they are still meant to be able to communicate with one another, as needed.
The Potential Benefits of Network Segmentation
Without the use of network segmentation, which is sometimes referred to as a “flat network,” the entire network falls under the scope of the PCI DSS assessment.
While network segmentation is not a requirement for working with PCI DSS, it can provide great benefits that your IT team will appreciate when working with your system on a daily basis. Network segmentation also helps your external auditing team research more intently—and at greater speeds—at your PCI DSS functions.
Reach Out for Consulting Advice to Learn Whether Network Segmentation Is the Right Choice for Your PCI DSS Needs
If you are unsure as to whether you want to adopt network segmentation to isolate your various computing networks, our PCI DSS experts at I.S. Partners, LLC. can help. We can investigate your system and, based on our findings, let you know the value to your organization when implementing network segmentation. We can also discuss what your future assessments might look like, in terms of duration of the audit and resulting fees, when you implement network segmentation.