New PCI guidelines address scoping, segmenting

The PCI Security Standards Council (PCI SSC), a global forum responsible for developing and managing the Payment Card Industry (PCI) Data Security Standard (DSS), published new guidelines Dec. 9, 2016. Guidance for PCI DSS Scoping and Network Segmentation is designed help organizations understand how to segment cardholder data to reduce the number of in-scope systems in their networks and simplify PCI DSS compliance, the council stated.

PCI SSC Chief Technology Officer Troy Leach said the council has consistently urged companies to simplify and minimize cardholder data footprints and reduce the effort involved in complying with the PCI DSS. “One way to accomplish this is through good segmentation,” he stated. “It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise.”

Segmentation is a recommended practice but not a PCI DSS requirement, Leach added. When properly implemented, network segmentation can contain a cardholder data environment within proscribed parameters, simplifying PCI DSS compliance and mitigating risk. Alternatively, improperly segmented data can create vulnerabilities by failing to protect the cardholder data environment.

Industrywide collaboration

The council thanked numerous payments industry stakeholders who collaborated on developing the guidance, including Christian Janoff, Security Solutions Architect for Cisco Systems Inc. and member of the PCI SSC Advisory Board. Janoff saw a need to clarify segmentation and scoping in the merchant community.

“By providing guidance, we hope this will help to simplify the process, making it easier to secure payment card data,” he said. “We at Cisco are proud to partner with the council and industry peers to bring additional scoping and segmentation guidance to the industry.”

In addition, the council is optimistic the new guidance will raise awareness of security best practices and motivate the payments industry value chain to inculcate a culture of security, including the following stakeholders:

• Processing community: Merchants, acquirers, issuers, service providers, token service providers and others responsible for meeting PCI DSS requirements for their enterprises

• Security community: Qualified Security Assessors (QSAs), who are responsible for performing PCI DSS assessment, and PCI Forensic Investigators (PFIs), who determine PCI DSS scope as part of a data security breach investigation

• Risk scoring and management: Acquirers and third-party service providers that evaluate merchants’ or service providers’ PCI DSS compliance documentation

The council additionally noted the guidance provides a method to help organizations identify systems that need to be included in PCI DSS scope. While it details approaches to proper segmentation, the guidance does not guarantee effective segmentation or PCI DSS compliance.

Further PCI perspectives

Despite having stipulated the need for organizations to maintain a cardholder data flow diagram that identifies the location of all cardholder data, the PCI SSC continues to find organizations that were not aware of exposed cardholder data until their systems were compromised.

“A common pattern seen in data breaches is where the attacker targets systems deemed by the entity to be out-of-scope for PCI DSS, then leverages those systems to gain access to more systems, which eventually provide a path to systems where CHD data can be found,” the council wrote. “While segmentation may help reduce the number of exposure points to the cardholder data environment (CDE), it is not a silver bullet; implementing segmentation is no replacement for a holistic approach to securing an organization’s infrastructure.”

In the council’s PCI Perspectives blog, Leach said the new guidance is far more comprehensive than scoping guidance the council has provided in the past. The PCI SSC found it necessary to provide “explicit guidance that explains clearly how to implement segmentation,” but said controls that work effectively in one environment may not be adequate for another. Leach hopes each organization will adapt the guiding principles accordingly, in ways that work best for their infrastructures.

“When it comes to scoping for PCI DSS, the best practice approach is to start with the assumption that everything is in scope until verified otherwise,” the council wrote. “When properly implemented, network segmentation is one method that can help reduce the number of system components in scope for PCI DSS.”

Editorial Note:

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.