PCI Compliance & Network Segmentation

PCI Compliance & Network Segmentation
PCI Compliance & Network Segmentation

PCI Compliance basically refers to the Payment Card Industry Data Security Standard. This is a set of standards that ensure all companies that undertake any processes that involve credit or debit card information uphold very high-security standards in all transactions.

Network segmentation is basically sub-dividing your network into different groups. This serves to uphold data security as no network segment can access data from any other segment.

Network segmentation is a crucial step in PCI DSS compliance as segmentation will mean creating controls focused on the data’s security needs.

To really understand PCI Compliance, you should know the following:

Cardholder Data Environment (CDE)

Cardholder data (CD) can be defined as any personally identifiable information (PII) that can be linked to an individual who owns a credit card or a debit card. Cardholder Data includes the Primary Account Number (PAN) with the cardholder’s name, expiration date or service code. Basically, any data transmitted with PAN must be protected in agreement with PCI DSS requirements.

Cardholder Data Environment (CDE) is, therefore, constitutes any computer or networked system that processes, stores or transmits the Cardholder Data information i.e. the network devices, servers, computing devices and applications or anything connected to CDE.

In this regard, it is therefore important to prevent access of Cardholder Data by employees. It is, therefore, necessary to set apart the network handling Cardholder Data from other areas of your company.

PCI DSS and Network Segmentation

Network segmentation will require you to look at the way data is transmitted within the network. Different groups within your organization access different information differently within the network. With this in mind, looking at the Cardholder Data data stream, you can easily identify what areas to protect to ensure PCI Compliance.

PCI DSS defines connectivity as physical, wireless or virtualized. Physical connections will constitute USB drives or wired connections. Wireless connections will constitute Wireless LANs, Bluetooth connections and other wireless communications. Virtualized connections constitute shared resources like virtual machines and virtual networks. By PCI Compliance requirements, all these data access points will have to be secured if they have any PAN data being transmitted on them.

Scoping Systems

To be PCI compliant, you will need to critically evaluate your networks systems and its different access points. This will normally constitute a PCI DSS assessment which starts by cataloging where and how you will receive Cardholder Data. This will be followed up by cataloging all payment channels and methods for accepting Cardholder Data and its process from collection, verification, destruction, disposal or transfer.

The next step will require you to locate and document places within your CDE where the Cardholder Data is stored, processed or transmitted. This process will mean understanding who handles the data and how they do it, the processes the data goes through and technologies that in any way get involved with the data.

The next step will involve evaluating the drivers of the Cardholder Data Environment (CDE). This constitutes all processes, system components and people who influence the CDE.

Once the Data Stream is mapped, you will need to set-up controls to protect the Cardholder Data in any state i.e. stored, being processed or in transit. This will involve getting measures to limit where the data can be accessed from, and who can access the data and how much of the data can be accessed by particular individuals. This will include setting up group policies, data hiding, setting up firewalls and encryption methods for the data as it transits through the network.

Applying of established controls throughout the scope of your system components, processes and personnel come next. This ensures that your system is PCI Compliant.

Monitoring and review of set controls ensure adapting to the evolving Cardholder Environment.

Out-of-Scope System

Payment Card Industry Security Standard Council (PCI SSC) defines an out-of-scope system as a system that has no access to any Cardholder Environment system. Finding an out-of-scope system is difficult.

The PCI SSC requires that system components:

  1. Don’t store, process or transmit Cardholder Data.
  2. Aren’t connected to any network segment that access or impact a security control of the Cardholder Environment.

Third Party Service Providers

They also fall within the scope of your PCI security standard compliance. They provide remote support service for your system. You should, however, be aware of the risks involved with third party service providers as they can expose your system. It is therefore prudent to engage in third-party monitoring.

Contracts with the third-party service provider should clearly cover parts of the PCI DSS requirements covered. The service provider should prove their compliance either through Qualified Security Assessor (QSA) assessment or on-demand assessment.

A proper third-party service provider will be able to accurately deploy governance systems and provide updated real-time insights enabling your organization to respond to the continually changing threats in environment.

Author Bio

Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.