Page 10 - GS161202
P. 10

News

New PCI guidelines address                                        •	 Risk scoring and management community: Acquir-
                                                                      ers and third-party service providers that evaluate
scoping, segmenting                                                   merchants' or service providers' PCI DSS compliance
                                                                      documentation
T he PCI Security Standards Council (PCI SSC),
              a global body responsible for developing and    The council additionally noted the guidance provides a
              managing the Payment Card Industry (PCI)        method to help organizations identify systems that need
              Data Security Standard (DSS), published new     to be within PCI DSS scope. While it details approaches
guidelines Dec. 9, 2016. Guidance for PCI DSS Scoping and     to proper segmentation, the guidance does not guarantee
Network Segmentation was developed to help organizations      effective segmentation or PCI DSS compliance.
understand how to segment cardholder data to reduce the
number of in-scope systems in their networks and simplify     Further PCI perspectives
PCI DSS compliance, the council stated.
                                                              Despite having stipulated the need for organizations to
PCI SSC Chief Technology Officer Troy Leach said the          maintain a cardholder data flow diagram that identifies the
council has consistently urged companies to simplify and      location of all cardholder data, the PCI SSC continues to find
minimize cardholder data footprints and reduce the effort     organizations that were not aware of exposed cardholder
needed to comply with the PCI DSS. "One way to accomplish     data until their systems were compromised.
this is through good segmentation," he stated. "It allows an
organization to focus their attention on a limited number     "A common pattern seen in data breaches is where the
of assets and more readily address security issues as they    attacker targets systems deemed by the entity to be out of
arise."                                                       scope for PCI DSS, then leverages those systems to gain
                                                              access to more systems, which eventually provide a path
Segmentation is recommended but not required under            to systems where CHD data can be found," the council
the PCI DSS, Leach added. When properly implemented,          wrote. "While segmentation may help reduce the number
network segmentation can contain a cardholder data            of exposure points to the cardholder data environment
environment within specified parameters, simplifying PCI      (CDE), it is not a silver bullet; implementing segmentation
DSS compliance and mitigating risk. Improperly segmented      is no replacement for a holistic approach to securing an
data can create unprotected cardholder data, making the       organization's infrastructure."
data vulnerable.
                                                              In the council's PCI Perspectives blog, Leach said the new
Industrywide collaboration                                    guidance is far more comprehensive than scoping guidance
                                                              the council has provided previously. The PCI SSC cautioned
The council thanked numerous payments industry                that controls that work effectively in one environment may
stakeholders who collaborated on developing the guidance,     not be adequate for another. Leach hopes each organization
including Christian Janoff, Security Solutions Architect for  will adapt the guiding principles accordingly, in ways that
Cisco Systems Inc. and member of the PCI SSC Advisory         work best for their infrastructures.
Board. Janoff saw a need to clarify segmentation and
scoping in the merchant community. "We at Cisco are           "When it comes to scoping for PCI DSS, the best practice
proud to partner with the council and industry peers to       approach is to start with the assumption that everything
bring additional scoping and segmentation guidance to the     is in scope until verified otherwise," the council wrote.
industry," he said.                                           "When properly implemented, network segmentation is
                                                              one method that can help reduce the number of system
                                                              components in scope for PCI DSS."

The council is optimistic the new guidance will raise         Fintechs inch closer to
awareness of security best practices and foster a culture of
security among payments industry stakeholders, including      bank status
the following:
                                                              T he U.S. Office of the Comptroller may soon grant
    •	 Processing community: Merchants, acquirers, issu-                    bank charters to fintech firms. Comptroller of the
        ers, service providers, token service providers and                 Currency Thomas J. Curry shared plans for a far-
        others responsible for meeting PCI DSS requirements                 reaching initiative Dec. 2, 2016, when the OCC
        for their enterprises                                 released a paper titled Exploring Special Purpose National
                                                              Bank Charters for FinTech Companies. In the paper, Curry
    •	 Security community: Qualified Security Assessors       reflected on the banking industry's resilience and adapt-
        (QSAs), who are responsible for performing PCI DSS    ability, noting that banks themselves were once considered
        assessment, and PCI Forensic Investigators, who       revolutionary.
        determine PCI DSS scope as part of a data security
        breach investigation

10
   5   6   7   8   9   10   11   12   13   14   15