The Council just published new Guidance for PCI DSS Scoping and Network Segmentation to help clarify basic scoping and segmentation principles provided in the PCI Data Security Standard (PCI DSS). QSA Jacob Ansari discusses how this guidance can help assessors and merchants in their day-to-day jobs.
Why is determining scope and proper segmentation so important to protect card holder data?
Jacob Ansari: Scope is foundational to complying with PCI DSS. Without a clear understanding of scope, you cannot validate its boundaries and you don’t know where to apply the requirements. Determining scope can also get very complex; even modestly complex organizations can have intricate questions of where to draw the line between in-scope and out-of-scope, so it’s very rarely a trivial exercise.
What are some common points of confusion when it comes to determining scope?
Jacob Ansari: Perhaps the most common confusing point comes from systems that are connected to those that store, transmit, or process cardholder data. This can have wide-ranging and serious implications to an organization, depending on the connectedness of its various networks. Confusion also arises with systems that affect the security of the cardholder data environment, or even the scope applicability for networks transmitting data, particularly encrypted cardholder data.
What challenges do your customers have when it comes to properly segmenting their network?
Jacob Ansari: The real challenge is that modern environments make use of highly connected environments. The retail environment produces sales and inventory data that other parts of the business consume, and disconnecting the retail network for the purposes of segmentation can limit or impair the organization’s ability to incorporate that data into its ERP or other business applications. Time and again, I hear organizations protest the need for segmentation, at least where they regard its application as problematic, as unrealistic for their business needs.
How do you see this guidance helping you in your day-to-day job?
Jacob Ansari: This guidance will both make things easier and more difficult for our clients. It offers some resolution to the scope applicability for systems that connect to the systems that connect to the cardholder data environment (i.e., the age-old “connected to connected to” problem). It also more firmly pronounces as “in scope” systems that many organizations had not previously considered such as administrator workstations or IT management systems. It also adds some complexity, in that not all of the PCI DSS requirements may necessarily apply to all situations, particularly some of the “connected to” systems, but making that determination will require some careful analysis and justification for why any requirements shouldn’t apply.
How do you see this guidance helping the security posture for your clients (or for the industry as a whole?)
Jacob Ansari: The guidance offers rigorous and careful assessors some additional backing when asking clients to consider not just the business implications of proper segmentation (“It’s too hard! It interferes with the business!”), but to consider the threats to the organization when determining the extent of segmentation. It’s important to not confuse risk assessment with inconvenience assessment, which many organizations do when taking an inadequate position on scope.
What other ways do you recommend to your clients regarding reducing PCI DSS scope beside segmentation?
Jacob Ansari: Certainly, I’d recommend a PCI-validated P2PE solution, and for merchants making use of a non-validated solution, I’d suggest that they demand that their providers undergo P2PE validation. I’d also look very carefully at the business value of lesser-used payment channels and determine if they’re really worth it when the costs of compliance may be very high.
The Council tapped a number of industry experts to review and provide feedback on this guidance- you being one of them. Why is it important for the Council to create guidance with industry input?
Jacob Ansari: The payments industry has a lot of different facets and viewpoints, and incorporating feedback from a good cross-section of industry voices helps identify the challenges faced by different groups within the industry and helps limit the possibility that guidance provides only limited use or use to only a subset of the industry.
About Jacob Ansari, Manager, Schellman & Company, LLC
Mr. Ansari performs and manages PCI DSS assessments. Additionally, Jacob oversees other Payment Card Industry assessment services, namely PA-DSS and P2PE. Jacob’s career spans over fifteen years of information security consulting and assessment services, including network and application security assessments, penetration testing, forensic examinations, security code review, and information security expertise in support of legal matters. Jacob has performed payment card security compliance assessments since the payment card brands operated their own standards prior to the advent of PCI DSS. Jacob speaks regularly to a variety of audiences on matters of information security, incident response, and payment card compliance strategy.