Compliance for the Payment Card Industry Data Security Standard (PCI DSS) starts at the network segmentation. Well, segmentation in this context refers to instituting controls aimed at enhanced data security. To sufficiently meet the requirements on PCI segmentation, an understanding of the standard’s purpose and objectives are critical.
The Card Holder Data Environment (CDE)
According to PCI DSS, the Data Cardholder Data (CHD) includes the personally identifiable data associated with a specific individual’s debit or credit card. The information may include the name of the cardholder, primary account number, service code, expiration date, or other sensitive authentication data. Primarily, CD holds the necessary information that a thief could use to make several fraudulent charges.
The cardholder data environment includes any networked system or computer that stores, processes or transmits the sensitive cardholder’s data. The CHD also incorporates computing devices, applications, computing devices, servers and other system components. It can also include virtual components, security services, server types, applications or anything linked to the cardholder data environment.
Network Segmentation according to PCI DSS
The scope of network segmentation includes understanding the manner in which data moves within the system. You can use the analogy of a river to understand CDE and CHD. In this case, the cardholder data environment (CDE) is the river, and the cardholder data is the boat traveling along the river. And just as there are many access points for boats, CDE has numerous data access points.
Networks are similar to rivers with various connecting tributaries. If the cardholder data can flow down a branch, then it’s critical to institute safeguards along the river and its tributaries, or even construct a dam.
Connectivity according to PCI DSS includes wireless, physical, and virtualized. CHD can enter the river at any point. The USB drive can be physical connectivity, while Bluetooth and wireless LANs, the wireless connectivity. The virtualized connectivity comprises the common resources such as virtual machines and virtual firewalls. It is critical to secure each of these access points to prevent incidences of data theft and fraud.
How Businesses Scope Systems
The scoping of PCI DSS entails a critical evaluation of all the data access points in your cardholder environment – the CDE river. Cataloging on how and where you get the cardholder data is the first step in PCI DSS assessment. The assessment involves walking up and down along the banks of your CDE river to identify all the payment channels, and CHD acceptance methods. It does not stop there, however. You will need to track the route the information takes, from the collection point through to disposal, destruction, and transfer.
The next is identification and documentation of the specific locations where storage, processing or transfer of the data occurs. It entails not only understanding those involved in handling the data, but also the technologies and process involved as the data moves through the CDE.
After tracking the flow of the information through your network, the next step is to incorporate all the system components, processes, as well as, the people that impact the CDE. Unlike the previous one, this step involves looking beyond those that interact with the information and concentrating on those that manage the data environment.
After the CDE review, you will then need to create sufficient controls to safeguard the information. In the same way that some rivers have landings to keep boaters from specific access points, your network requires controls. It is crucial to determine where the CHD can flow to and who can access it. That means creating dams by setting up adequate security measures such as encryption and firewalls.
After setting control, you need to ensure application to all the affected systems, components and personnel. You will also need to monitor the controls and make changes as the data environment evolves.
Out of Scope Systems
According to PCI Security Standard Council defines out of scope systems as those without any access to any CDE. But finding these out of scope systems is an uphill task.
The Security Standards Council requires such a system not to process, store or even transmit cardholder data (CHD). It must also not connect to any CHD-linked network segment or system involved with CHD. The system shouldn’t have access to or influence any security control associated with CHD.
Be careful before declaring the system out of scope. You see, the trees around the river would be in scope if they can access the same water as the river.
Is it Possible to Transfer Risks to Third Party Organizations?
Service providers, as well as, third-party organizations are within the fold of your PCI DSS. These service providers and third-party organizations are like forest rangers in connection to your CDE river. Mostly, they provide remote services or engage with your network environment and can expose it to risk.