Most businesses do not fully understand where they need PCI DSS controls and which systems need security. This article outlines essential steps for organizations to guide to help identify systems that should at least be covered by PCI DSS and, if possible, narrow down PCI coverage.
It also aims to guide how to use segmentation to reduce the number of systems requiring PCI DSS control measures.
The best practice approach when it comes to scoping for PCI DSS is to ensure that everything is covered until approved otherwise. Network segmentation is an approach that, when properly implemented, can help reduce the number of system components covered by PCI DSS.
Even if a system is not in the scope of PCI DSS, it can still pose a risk to the network and business. Therefore, the security of networks outside of the PCI scope is also important, and implementing segmentation does not mean that these networks should remain vulnerable.
A typical pattern of data breaches is when the attacker targets systems that the organization thinks are outside the scope of PCI DSS and then accesses more systems using those systems, providing a way to find cardholder data eventually.
While network segmentation helps reduce the number of access points to the cardholder data environment, it is not a magical and one hundred percent security item. It should be noted that the network segmentation approach cannot replace a comprehensive security approach to protecting a company’s infrastructure.
Segmentation involves the application of additional security measures to separate systems for different security requirements. Segmentation is often used to separate in-scope systems from out-of-scope systems to reduce the number of systems covered by the PCI DSS.
Segmentation can be logical controls, physical controls, or a combination of both. Commonly used PCI DSS segmentation approaches include firewalls and router configurations to prevent traffic flow between out-of-scope networks and cardholder data environments and network configurations to avoid communication between various systems subnets, and physical access controls.
Scoping involves identifying people, systems, and technologies that interfere or otherwise affect high-level cardholders’ data protection.
The use of technologies to control connectivity between systems and networks to meet the requirements of PCI DSS is not considered a segmentation approach that limits access to the PCI DSS scope. Such communications are potentially more secure than uncontrolled communication channels, but cannot be used to reduce the number of system components covered by PCI DSS.
A systematic assessment of all connected and supported system components associated with card data and the cardholder data environment and cardholder data streams is required to scope PCI DSS.
Networks connected or accessible to the cardholder data environment are considered “connected” to the system. These networks have a communication path to one or more cardholder data media (CDE) network components. Connectivity can occur through different technologies, including physical, digital, and virtual.
It is essential to understand the risks and impacts if connected system components are excluded from PCI DSS or ignored. Hazards that may occur in the connected system component can also affect the cardholder’s data environment.
The following assumptions always apply to the scope the PCI DSS:
- Systems within the cardholder data environment (CDE) are covered by PCI DSS, regardless of their functionality or reason for their presence in the cardholder data environment.
- Systems that connect to a system in a cardholder data environment (CDE), regardless of their functionality or reason for having CDE connections, are within PCI DSS scope.
- PCI DSS covers all systems in a flat network where card data is stored, processed, or transmitted.
How is Network Segmentation Implemented for PCI DSS?
Segmentation of the cardholder data environment from the rest of its network with network segmentation is not a requirement for PCI DSS. However, it is highly recommended as a method that can reduce the scope and costs of the PCI DSS assessment.
The purpose of segmentation is to avoid the ability and risk of out-of-scope systems to interact with the cardholder data environment (CDE) systems or impact the cardholder data environment (CDE) security.
If network segmentation is implemented correctly, even if the attacker has administrative access to the out-of-scope system, the cardholder data environment (CDE) is not compromised by a segmented out-of-scope system component.
It should be noted that connections or access from systems other than the cardholder data environment (CDE) are permitted. Still, in this case, all these connections will be covered by PCI DSS, and all relevant PCI DSS requirements will apply to protect the connection or access.
The existence of individual network segments alone does not automatically generate segmentation. Segmentation is accomplished through purpose-built controls that explicitly enforce and prevent compromising access to cardholder data (CHD) from out-of-scope networks by creating separation.
Examples of controls that can be applied to prevent out-of-scope systems from compromising a connected or security-affecting system include the following:
- Host-based firewall or intrusion detection and prevention systems (IDS / IPS) on in-scope systems that prevent connection attempts from out-of-scope systems.
- Physical access controls that allow only designated users to access in-scope systems.
- Logical access controls that allow only specified users to log on to in-scope systems.
- Using multi-factor authentication mechanisms in in-scope systems.
- Restricting administrative access privileges to specified users, systems, or networks.
- Actively monitor suspicious network or system behavior that could indicate that an out-of-scope system is attempting to gain access to a covered system component or cardholder environment.
The purpose of such controls is to provide reasonable assurance that an out-of-scope system cannot utilize an in-scope system component to gain access to the cardholder data environment or to affect card data environment security.
The controls used to provide this assurance are part of the general segmentation verification. Once all segmentation checks have been validated, systems can be considered outside the scope of PCI DSS.
It should be noted that there is no solution or technology to eliminate all PCI DSS requirements. Tools or technologies such as encryption or tokenization can help reduce risk overall, reduce the applicability of some PCI DSS requirements, reduce cardholder data environment (CDE) coverage, or make it easier to meet PCI DSS requirements.
These technologies must be implemented appropriately with different configuration settings and processes to ensure that these technologies are consistently managed securely to help support card data protection. Such controls should be part of annual audits and monitoring to confirm the effectiveness of their activities.
How is the PCI DSS Scope Determined?
The first stage of a PCI DSS assessment is to determine the scope of the review. Determining the size of PCI DSS is the study of defining all the components, employees, and processes of the system to be included in the PCI DSS assessment. In this way, system components, processes, and employees to be interviewed are determined.
Determining the proper coverage is critical to assessing the scope required for PCI DSS compliance requirements. Hence, a thorough assessment of the cardholder data environment and its connected system components is essential.
The following steps can be taken to determine the scope of PCI DSS:
- Identify all payment channels and methods of accepting cardholder data from the point where cardholder data is collected to the end of disposal, disposal, or transfer.
- Document all cardholder data streams and identify employees, processes, and technologies involved in cardholder data storage, processing, or transmission. Identified employees, systems, and technologies are all part of the cardholder data environment.
- Identify all system components and personnel that interact with or may affect the cardholder data environment. The PCI DSS covers all of these identified employees, systems, and technologies as they have cardholder data media connections or can affect cardholder data security.
- Implement controls to separate the PCI DSS scope from personnel, systems, and technology that do not need to interact or affect the cardholder data environment.
In-Scope PCI DSS Systems
The following systems are in the scope of PCI DSS:
- System components that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD)
- System components on the same subnet or VLAN as systems that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD).
- System components on a different network can connect or access the cardholder data medium (CDE).
- System components that can be connected to or accessed by the cardholder data medium (CDE) through another system are within the PCI scope.
- System components that can affect the cardholder data environment’s configuration or security (CDE) or the processing of cardholder data and sensitive authentication data (SAD).
- The PCI covers system components that provide security services to the cardholder data environment (CDE).
- Systems that support PCI DSS requirements, such as time servers and audit log storage servers.
- The PCI covers system components that provide segmentation of the cardholder data environment (CDE) from out-of-scope systems and networks.
Out-of-Scope PCI DSS Systems
The following systems are out of the scope of PCI DSS:
- System components that do not store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD).
- System components are not on the same network segment or the same subnet or VLAN as systems that store, process, or transmit cardholder data (CHD).
- System components that are not connected to or accessed by any system in the cardholder data environment (CDE).
- System components cannot access the cardholder data environment (CDE) or affect a security check for the cardholder data environment through an in-scope system.
- System components that do not meet any of the criteria described above for connected or security-affecting systems.
For a system, employee, or process to be considered out of scope, reasonable assurance must be provided that any component within the scope cannot be used in a way that endangers its safety, and necessary controls must be applied.
In addition to covering internal systems and networks, all connections and service provider services from third-party service providers must be identified to determine their inclusion in the scope of PCI DSS.
If third-party connections are used that could compromise the cardholder environment, these links and service providers should be included, and relevant PCI DSS controls applied to mitigate risk.
Similarly, if the organization is outsourcing to a third party for in-scope functions or facilities, or uses a third-party service that affects the way it meets PCI DSS requirements, the service or service provider is covered by PCI DSS.
In such cases, it is crucial for both parties to clearly understand which PCI DSS requirements are provided by the service provider and the organization’s responsibility using the service.
When scoping the PCI DSS environment, it is essential to assume that everything is always in scope until all appropriate controls are in place, and effective segmentation is achieved. Effective segmentation will significantly reduce the risk of cardholder environment systems being affected by general or out-of-scope vulnerabilities.
However, it should be kept in mind that improperly determining the scope of PCI DSS will put a business and cardholder data in a dangerous situation. Scoping and segmentation require successful preparation, design, implementation, and monitoring.
Many vulnerabilities and attacks occur from systems and networks that have been wrongly judged to be out of scope. For this reason, organizations need to focus on protecting their entire environment rather than the requirements required by PCI DSS to minimize the risks to them.
For detailed information, you can browse the PCI SSC information supplement: Guidance for PCI DSS Scoping and Network Segmentation