As organizations begin their journey towards PCI compliance, one of the initial steps that must be completed is to accurately identify the systems that, at a minimum, need to be included in the institution’s PCI scope. At a high level, this “scope” will involve any technologies that interact with, or could otherwise impact the security of, cardholder data. It is important to understand that systems with connectivity (e.g. workstations, servers, firewalls, routers, switches, etc.) or access to or from the cardholder data environment (CDE), are by default considered in-scope systems.
Once these systems are identified, it is recommended that they are then separated from other “out-of- scope” systems with lesser or different security needs (i.e. general use computers and general network- related activity). For example, one of the eligibility requirements of the PCI self-assessment questionnaire (SAQ) C-VT states, “Your company accesses the PCI DSS-compliant virtual payment terminal solution via a computer that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via a firewall or network segmentation to isolate the computer from other systems).”
While segmentation is not a requirement of the PCI DSS, it is generally accepted as the most effective way to separate those identified in-scope systems from those that need not be involved when adhering to PCI DSS requirements. The intent of segmentation is to prevent out-of-scope systems from being able to communicate with or impact the security of systems within the CDE. When properly implemented, if an attacker obtained access to a segmented out-of-scope system, they would not be able to reach or impact the security of the CDE.
Segmentation can consist of logical controls, physical controls, or a combination of both. Examples of commonly used segmentation methods include firewalls and router configurations to prevent traffic from moving between out-of-scope networks and an organization’s CDE, network configurations that prevent communications between different systems or subnets, and physical access controls. Without segmentation, an organization’s entire network could be considered in PCI scope resulting in the requirement to apply all 300+ PCI DSS controls to “all” systems. By reducing the number of systems in scope, you can dramatically reduce the time and resources needed to secure your cardholder data environment.
Segmentation can also be an important tool for protecting sensitive data and achieving compliance with other regulations such as HIPAA, GLBA, FERPA, etc. Just as it is used to secure cardholder information and limit PCI scope, segmentation is an effective control for reducing risk to other critical systems and data. See the following examples:
- GLBA Safeguards Requirements
- Ensure the security and confidentiality of customer records and information
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information
- Protect against unauthorized access to or use of customer records
- HIPAA Security Rule
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
In short, CampusGuard strongly recommends segmenting all critical data and networks so the appropriate and required security controls can be more easily applied. Strict requirements from the PCI DSS like logging, file integrity monitoring, scanning, penetration testing, etc., may not be necessary for all systems and can be expensive to maintain if you are trying to apply those requirements to all organizational systems. By limiting these requirements/controls to just those systems that are storing/processing/handling sensitive information, you will realize significant cost savings, while adequately protecting your data. In addition to this assisting in the achievement of compliance for multiple standards and regulations, this will also ensure that a compromise of one system does not expose the entire institution’s network/systems.
To be effective, segmentation does require careful planning, design, implementation, and monitoring. If you have questions or would like CampusGuard’s assistance, don’t hesitate to reach out to us.
Some additional guidance from our Security Advisor Team below:
[Wallace]: Not only does segmentation help reduce your organization’s PCI scope, but it also helps to reduce the time it takes to perform periodic reviews of documentation, firewall rules, and inventory of in- scope systems. As your CDE grows to include new or upgraded systems and processes, your organization will quickly know what additional controls are necessary to maintain a secure environment.