The first step to determining the scope of your Payment Card Industry Data Security Standard (PCI DSS) compliance is segmenting your data networks. Network segmentation helps to improve data security and reduces the chances of breaches resulting from compromised systems.
What You Should Know About PCI DSS Network Segmentation
To properly segment your data networks for PCI DSS-compliance purposes, it is crucial to understand the purpose and objectives of network segmentation.
Cardholder Data Environment (CDE)
Information falling under personally identifiable information include the primary account number (PAN), cardholder name, service code, expiration date, and other sensitive card authentication data.
In a nutshell, any data that can be used by malicious third parties to steal a person’s identity or make fraudulent charges on his or her card is considered personally identifiable data.
The cardholder data environment (CDE) refers to the network of infrastructure used to store personally identifiable data associated with your customer’s credit or debit card.
The environment consists of any systems and processes used in the transmission, storage, and retrieval of personally identifiable data. Hardware and software components that make up the CDE include network devices, applications, and computing devices.
Systems that can access the CDE should be segmented and configured with complex security protocols such as multi-factor authentication, forced password changes, biometric security, among others to reduce security threats.
PCI DSS Requirements for Network Segmentation
Cardholder data (CD) can be accessed in different ways and at multiple points in the cardholder data environment. PCI DSS requires robust security measures to be implemented at all points of the CDE where the data can be accessed.
For example, employees may use devices such as USB drives to access sensitive data. In such a case, the organization should have a security policy governing the use of such devices to transmit information.
For instance, the organization may require employees to get authorization from IT before plugging any USB drive in a system that stores cardholder data.
The CDE can also be accessed wirelessly through Wireless LANs and Bluetooth. IT should configure the network infrastructure supporting these technologies to ensure they are robustly secure from intrusions by unauthorized parties.
This may involve forcing the use of strong passwords, limiting access to the networks by configuring the SSID to be hidden, setting up secure virtual firewalls, and so on.
What Scope of Your Network Should Be PCI DSS-Compliant?
When determining the scope of which parts of your network should be PCI DSS-compliant, it is critical to evaluate all points of data access in the cardholder data environment.
A proper PCI DSS assessment should be carried out to catalog how cardholder data is received, stored, and transmitted within the CDE. This means looking at all processes involved in payment transactions and testing them for integrity.
The data storage infrastructure should also be evaluated to ensure they conform to the industry’s best practices and are safe from malicious intrusions. You should understand the processes that handle the data and all systems or applications that may encounter the data during transmission.
All processes, systems, and people that have access or come into contact with data in the CDE should be incorporated in the PCI DSS compliance network segmentation program. Parties that do not interact with the CDE directly but encounter cardholder data should also be incorporated into the program.
After reviewing your systems, processes, and data environment, establish controls to secure the data. The controls should limit where information can be stored, the systems or processes can access the data, and so on. Improving data access security will require the implementation of various controls such as encryption methods and firewalls.
Finally, regularly monitor the security controls to ensure they are in line with the changing dynamics of your CDE.
Not all systems in the organization need to be PCI DSS-compliant. According to the Payment Card Industry Security Standard Council (PCI SSC), systems that have no access to the CDE are out of the scope of compliance.
An out-of-scope system is one that is not involved in any way in the transmission, storage, or access of personally identifiable data. Moreover, the system should not be connected to any network or process that is connected to the CDE. However, in today’s business world, it is almost impossible to find out-of-scope systems in any organization.
Can You Transfer Risk to Third-Party Service Providers?
Third party providers are also required to be PCI DSS-compliant. Therefore, the third parties you work with can impact your PCI DSS compliance.
Before engaging a third party company that will have access to your CDE or cardholder data in any form, find out its compliance status.; the service contract should indicate which parts of PCI DSS compliance the vendor will be in charge of and which ones will be assigned to your organization.