This blog originally appeared on the Cryptzone blog. You can find it here.
Most companies selling to the public – and certainly all
e-commerce companies – are required to comply with the Payment Card Industry
Data Security Standards (PCI DSS). Basically, all businesses that accept credit
card as payment must adhere to the PCI standards, and go through a
certification process on an annual basis.
While the PCI DSS is nothing new, breaches are still
occurring with alarming frequency. And those charged with protecting credit
card information are paying attention, revising the standards for security
credit card data to combat emerging threats and scenarios.
In December 2016, the PCI
DSS Council released “Guidance for PCI DSS Scoping and Network Segmentation”.
This document was created to clarify how businesses and auditors should assess
their Cardholder Data Environments (CDE). Specifically, it includes guidance as
to what systems and processes should be included as part of a PCI evaluation
and scope:
Accurate
PCI DSS scoping involves critically evaluating the CDE and CHD flows, as well
as all connected-to and supporting system components, to determine the
necessary coverage for PCI DSS requirements. Systems with connectivity or
access to or from the CDE are considered “connected to” systems. These systems
have a communication path to one or more system components in the CDE.
The guidance summaries how environment scoping should be
approached:
The
following scoping concepts always apply:
·
Systems
located within the CDE are in scope, irrespective of their functionality or the
reason why they are in the CDE.
·
Similarly,
systems that connect to a system in the CDE are in scope, irrespective of their
functionality or the reason they have connectivity to the CDE.
·
In a flat
network, all systems are in scope if any single system stores, processes, or
transmits account data.
One of the primary areas of focus is how critical network
segmentation is to reduce the overall PCI scope, as even machines that are not
directly involved with credit card processes but still able to access
Cardholder Data (CHD) *MUST* also be included as part of the PCI scope:
The
intent of segmentation is to prevent out-of-scope systems from being able to
communicate with systems in the CDE or impact the security of the CDE.
Segmentation is typically achieved by technologies and process controls that
enforce separation between the CDE and out-of-scope systems. When properly
implemented, a segmented (out-of-scope) system component could not impact the
security of the CDE, even if an attacker obtained administrative access on that
out-of-scope system.
As a best practice, and to significantly reduce the scope of
the PCI environment, companies must look to properly segmented networks to
protect their CHD.
AppGate SDP
When looking for tools to segment your networks, you can
always look to a myriad of firewall rules and antiquated third party tools that
might get you to the desired state. But the solution being evaluated and
recommended by PCI QSAs for network segmentation is the Software-Defined
Perimeter (SDP).
AppGate SDP is the industry’s best and leading Software-Defined
Perimeter solution. Properly deployed,
AppGate SDP will reduce the scope of PCI DSS and other regulatory audits by
eliminating unnecessary devices, networks and appliances from the audit.
AppGate SDP makes any resources that are not specifically granted access to an
environment invisible to the environment, thus reducing the chance of
additional devices and resources being added to the evaluation.
Many companies are evaluating their annual PCI audit results
and looking for ways to remediate outstanding control gaps, especially those
with protecting their network access.
AppGate SDP addresses these requirements, as well as many of the other
PCI controls. More information about how AppGate SDP addresses PCI 3.2
requirements can be found in this
whitepaper.