The Green Sheet Online Edition
December 26, 2016 • Issue 16:12:02
New PCI guidelines address scoping, segmenting
The PCI Security Standards Council (PCI SSC), a global body responsible for developing and managing the Payment Card Industry (PCI) Data Security Standard (DSS), published new guidelines Dec. 9, 2016. Guidance for PCI DSS Scoping and Network Segmentation was developed to help organizations understand how to segment cardholder data to reduce the number of in-scope systems in their networks and simplify PCI DSS compliance, the council stated.
PCI SSC Chief Technology Officer Troy Leach said the council has consistently urged companies to simplify and minimize cardholder data footprints and reduce the effort needed to comply with the PCI DSS. "One way to accomplish this is through good segmentation," he stated. "It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise."
Segmentation is recommended but not required under the PCI DSS, Leach added. When properly implemented, network segmentation can contain a cardholder data environment within specified parameters, simplifying PCI DSS compliance and mitigating risk. Improperly segmented data can create unprotected cardholder data, making the data vulnerable.
The council thanked numerous payments industry stakeholders who collaborated on developing the guidance, including Christian Janoff, Security Solutions Architect for Cisco Systems Inc. and member of the PCI SSC Advisory Board. Janoff saw a need to clarify segmentation and scoping in the merchant community. "We at Cisco are proud to partner with the council and industry peers to bring additional scoping and segmentation guidance to the industry," he said.
The council is optimistic the new guidance will raise awareness of security best practices and foster a culture of security among payments industry stakeholders, including the following:
- Processing community: Merchants, acquirers, issuers, service providers, token service providers and others responsible for meeting PCI DSS requirements for their enterprises
- Security community: Qualified Security Assessors (QSAs), who are responsible for performing PCI DSS assessment, and PCI Forensic Investigators, who determine PCI DSS scope as part of a data security breach investigation
- Risk scoring and management community: Acquirers and third-party service providers that evaluate merchants' or service providers' PCI DSS compliance documentation
The council additionally noted the guidance provides a method to help organizations identify systems that need to be within PCI DSS scope. While it details approaches to proper segmentation, the guidance does not guarantee effective segmentation or PCI DSS compliance.
Further PCI perspectives
Despite having stipulated the need for organizations to maintain a cardholder data flow diagram that identifies the location of all cardholder data, the PCI SSC continues to find organizations that were not aware of exposed cardholder data until their systems were compromised.
"A common pattern seen in data breaches is where the attacker targets systems deemed by the entity to be out of scope for PCI DSS, then leverages those systems to gain access to more systems, which eventually provide a path to systems where CHD data can be found," the council wrote. "While segmentation may help reduce the number of exposure points to the cardholder data environment (CDE), it is not a silver bullet; implementing segmentation is no replacement for a holistic approach to securing an organization's infrastructure."
In the council's PCI Perspectives blog, Leach said the new guidance is far more comprehensive than scoping guidance the council has provided previously. The PCI SSC cautioned that controls that work effectively in one environment may not be adequate for another. Leach hopes each organization will adapt the guiding principles accordingly, in ways that work best for their infrastructures.
"When it comes to scoping for PCI DSS, the best practice approach is to start with the assumption that everything is in scope until verified otherwise," the council wrote. "When properly implemented, network segmentation is one method that can help reduce the number of system components in scope for PCI DSS."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.