Addressing Network Segmentation for PCI 3.2 with the Software-Defined Perimeter
Most companies selling to the public – and certainly all e-commerce companies – are required to comply with the Payment Card Industry Data Security Standards (PCI DSS). Basically, all businesses that accept credit cards as payment must adhere to the PCI standards, and go through a certification process on an annual basis.
While PCI DSS is nothing new, breaches are still occurring with alarming frequency. And those charged with protecting credit card information are paying attention, revising the standards for security credit card data to combat emerging threats and scenarios.
In December 2016, the PCI DSS Council released “Guidance for PCI DSS Scoping and Network Segmentation”. This document was created to clarify how businesses and auditors should assess their Cardholder Data Environments (CDE). Specifically, it includes guidance as to what systems and processes should be included as part of a PCI evaluation and scope:
“Accurate PCI DSS scoping involves critically evaluating the CDE and CHD flows, as well as all connected-to and supporting system components, to determine the necessary coverage for PCI DSS requirements. Systems with connectivity or access to or from the CDE are considered “connected to” systems. These systems have a communication path to one or more system components in the CDE.”
The guidance summaries how environment scoping should be approached:
“The following scoping concepts always apply:
- Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.
- Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.
- In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.”
One of the primary areas of focus is how critical network segmentation is to reduce the overall PCI scope, as even machines that are not directly involved with credit card processes, but still able to access Cardholder Data (CHD) *MUST* also be included as part of the PCI scope:
“The intent of segmentation is to prevent out-of-scope systems from being able to communicate with systems in the CDE or impact the security of the CDE. Segmentation is typically achieved by technologies and process controls that enforce separation between the CDE and out-of-scope systems. When properly implemented, a segmented (out-of-scope) system component could not impact the security of the CDE, even if an attacker obtained administrative access on that out-of-scope system.”
As a best practice, and to significantly reduce the scope of the PCI environment, companies must look to properly segmented networks to protect their CHD.
PCI QSAs Recommend a Software-Defined Perimeter
When looking for tools to segment your networks, you can always look to a myriad of firewall rules and antiquated third party tools that might get you to the desired state. But the solution being evaluated and recommended by PCI Qualified Security Assessors (QSAs) for network segmentation is the Software-Defined Perimeter (SDP).
Cyxtera AppGate SDP is the industry’s best and leading Software-Defined Perimeter solution. AppGate SDP will reduce the scope of PCI DSS and other regulatory audits by eliminating unnecessary devices, networks and appliances from the audit. AppGate SDP makes any resources that are not specifically granted access to an environment invisible to the environment, thus reducing the chance of additional devices and resources being added to the evaluation.
Many companies are evaluating their annual PCI audit results and looking for ways to remediate outstanding control gaps, especially protecting network access. AppGate SDP addresses these requirements, as well as many of the other PCI controls.
Learn more about how AppGate SDP addresses PCI 3.2 requirements.