GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

2016: An action-packed year for payments

Patti Murphy


Industry Update

New PCI guidelines address scoping, segmenting

Fintechs inch closer to bank status

Gas station EMV deadline reset to 2020

M-commerce dominates early holiday shopping


Digital ID, the final piece in mobile wallet

Matt Bruno

Customer data management insights


Closing sales, opening relationships

Dale S. Laszig
DSL Direct LLC


Street SmartsSM:
Minimalism: A path to financial freedom

John Tucker
1st Capital Loans LLC

The CFPB takes on prepaid

Brett Husak
National Bank Services

Insights from puppy training applied to payments

Steven Feldshuh
Merchants' Choice Solution East

Multilayered authentication: challenges now, rewards later

Evi Triantafyllides

Company Profile

International Bancard Corp.

New Products

Omnichannel platform for in-store, online commerce

Lightspeed eCom
Lightspeed POS Inc.


Intimidated by large groups? Not to worry


Letter from the editors

Readers Speak

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

December 26, 2016  •  Issue 16:12:02

previous next

New PCI guidelines address scoping, segmenting

The PCI Security Standards Council (PCI SSC), a global body responsible for developing and managing the Payment Card Industry (PCI) Data Security Standard (DSS), published new guidelines Dec. 9, 2016. Guidance for PCI DSS Scoping and Network Segmentation was developed to help organizations understand how to segment cardholder data to reduce the number of in-scope systems in their networks and simplify PCI DSS compliance, the council stated.

PCI SSC Chief Technology Officer Troy Leach said the council has consistently urged companies to simplify and minimize cardholder data footprints and reduce the effort needed to comply with the PCI DSS. "One way to accomplish this is through good segmentation," he stated. "It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise."

Segmentation is recommended but not required under the PCI DSS, Leach added. When properly implemented, network segmentation can contain a cardholder data environment within specified parameters, simplifying PCI DSS compliance and mitigating risk. Improperly segmented data can create unprotected cardholder data, making the data vulnerable.

Industrywide collaboration

The council thanked numerous payments industry stakeholders who collaborated on developing the guidance, including Christian Janoff, Security Solutions Architect for Cisco Systems Inc. and member of the PCI SSC Advisory Board. Janoff saw a need to clarify segmentation and scoping in the merchant community. "We at Cisco are proud to partner with the council and industry peers to bring additional scoping and segmentation guidance to the industry," he said.

The council is optimistic the new guidance will raise awareness of security best practices and foster a culture of security among payments industry stakeholders, including the following:

The council additionally noted the guidance provides a method to help organizations identify systems that need to be within PCI DSS scope. While it details approaches to proper segmentation, the guidance does not guarantee effective segmentation or PCI DSS compliance.

Further PCI perspectives

Despite having stipulated the need for organizations to maintain a cardholder data flow diagram that identifies the location of all cardholder data, the PCI SSC continues to find organizations that were not aware of exposed cardholder data until their systems were compromised.

"A common pattern seen in data breaches is where the attacker targets systems deemed by the entity to be out of scope for PCI DSS, then leverages those systems to gain access to more systems, which eventually provide a path to systems where CHD data can be found," the council wrote. "While segmentation may help reduce the number of exposure points to the cardholder data environment (CDE), it is not a silver bullet; implementing segmentation is no replacement for a holistic approach to securing an organization's infrastructure."

In the council's PCI Perspectives blog, Leach said the new guidance is far more comprehensive than scoping guidance the council has provided previously. The PCI SSC cautioned that controls that work effectively in one environment may not be adequate for another. Leach hopes each organization will adapt the guiding principles accordingly, in ways that work best for their infrastructures.

"When it comes to scoping for PCI DSS, the best practice approach is to start with the assumption that everything is in scope until verified otherwise," the council wrote. "When properly implemented, network segmentation is one method that can help reduce the number of system components in scope for PCI DSS."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios