To determine the scope of your Payment Card Industrial Data Security Standard (PCI DSS) for compliance, it is necessary that you understand network segmentation. Segmentation involves designing controls fit enough for the security of your data. Network segmentation will only be successful after you have followed the standard's purpose and objectives.
PCI DSS Network Segmentation
Defining the cardholder data environment (CDE)?
According to PCI DSS, a cardholder data (CHD) is any personal data that ties you to your debit or credit card. Some of these personal data include your primary account number (PAN) together with your name, sensitive card authentication data, service code, and expiration date.
"Understanding PCI Compliance & Network Segmentation is no simple feat. However, there is a need for PCI DSS network segmentation which is possible when you can differentiate between CHD and CDE"
Simply put, CHD defines any of your information with which fraud can steal identities as well as conduct fraudulent charges using somebody else's card.
Cardholder data environment (CDE) is therefore single or linked computer systems which collect, stores, processes and transmit the stolen information. On the other hand, CDH components consist of applications, servers, network devices, and computing devices. Such elements can be virtual components, network components, security services, server types, and applications that get connected to the CDE.
As an employer, there is, therefore, a need for you to set apart any devices or components from which employees can access the CHD within your company.
What does PCI DSS mean by network segmentation?
The first step to network segmentation is to understand how information travels through your systems. Take the CDE to be a river and the CHD to be a kayak which is navigating the rapids. Rivers have different routes which the boats can take and likewise, the network has multiple data access points which act like tributaries in waterways. Can CHD float anywhere along your system? Build a reservoir or protect the tributary instead.
PCI DSS describes connectivity as wireless, virtualized and physical. Thus, CHD can access the river at any point. A USB drive represents the physical connectivity. Additionally, Virtualized connectivity includes virtual machines, virtual firewalls, and any other shared resource. Lastly, the wireless connectivity is made up of Bluetooth connections and wireless LANs. Secure every one of these data access points.
How to Scope Systems?
Before Scoping the PCI DSS, keenly analyze all the data access points and the CDE tributaries.
Consequently, proceed to assess the PCI DSS by cataloging the how and the where you collect CHD. Explore the CDE banks, identifying all the channels through which you make your payments. Also, identify methods through which you receive CHD and then journey through your channel from the collection, transfer or disposal as well as destruction.
Also, track and make a record of places on your CDE which get used for data storage, processing or transmission. The identification educates you about who touches and how to handle data and the stages as well as technologies which influence data flow in your network.
The next step is Incorporation of all the people who affect CDE, system components and processes. The primary difference between tracking and incorporation is that the latter focuses on people that drive the environment while the former focuses on those that handle the information.
Upon a successful data river review, develop controls to enhance information security just like river landings restricts boater’s entry in some areas. It is also prudent that you set limits as to which way the information can travel and who can access it. For the limitation, set up data securities that compare to dams, together with encryption methods and firewalls.
Further, apply the set controls to your in-scope system components, personnel, and processes.
Since CDE keeps on evolving, keep a close eye on the controls and modify them when necessary.
Are there any out-of-scope systems?
Out-of-scope systems are those lacking access to any CDE system, but they are difficult to find. As required by the PCI SSC, the system should not store, process or transmit CHD or connect with any CHD –touching network segment. The system component also remains free of any CDE connection, influence and access to security controls unlike in the in-scope systems.
Give careful thought to a system before rendering it out-of-scope since like a forest they may share the water table with the river.
Can your organization transfer risks when using third-party service providers?
Both third parties and service providers determine your scope in compliance with PCI security standards. Like forest rangers, the two parties provide your river with remote support services for interaction with your environment placing your CDE river at risk. Invest therefore in third-party monitoring to control your ecosystem and prevent negative PCI DSS compliance.
Choose a third-party service that delineates PCI-DSS requirements parts both for you and the service provider.
Can the service provider prove its compliance?
You can receive either the on-demand assessments upon your request or annual evaluation by a qualified security assessor (QSA). If QSA is your preference, check to see that it meets your compliance needs in the contract.
How Do You Ease your PCI DSS Compliance Burden?
Subscribe to a platform which can offer you easy-to-read insights for governance systems. From the platform's PCI DSS dashboard, you should review your company’s health as well as critical problems which you should solve.
Additionally, the platform should provide updated, real-time insights which equip you to handle the ever-evolving threats and vulnerabilities. Consequently, you can store your penetration tests and audit reports on the platform for improvement of your company’s performance.
Understanding PCI Compliance & Network Segmentation is no simple feat. However, there is a need for PCI DSS network segmentation which is possible when you can differentiate between CHD and CDE. After understanding the differences, proceed to scope your system irrespective of whether it is in-the-scope or an out-of-scope system.
To aid your organization in PCI compliance, choose a third-party service provider whose contract outlines both your responsibilities. Finally, use a tested platform to ease your PCI DSS compliance burden.