PCI DSS Scoping and Segmentation

1
(No Transcript)
2
Introduction to PCI DSS
? Organizations are struggling to understand the
application of PCI DSS controls and identify
systems that need to be secured. ? The
presentation details the ins and outs of PCI DSS
Security Standards and Compliance for particular
businesses ? The presentation will work as a
guide for organizations to identify systems that
need to be included in-scope for PCI DSS ? It
will also assist to understand how segmentation
can help reduce the number of systems that
require PCI DSS controls
3
WHAT IS PCI DSS
?The Payment Card Industry Data Security
Standard (PCI DSS) is a Security Standard formed
in the year 2004 by 5 major credit card companies
namely - Visa - MasterCard - Discover - JCB -
American Express. ?Governed by the Payment Card
Industry Security Standard Council (PCI SSC), the
policy intends to optimize and secure credit,
debit and cash card transactions. ?The Security
Standard helps protect cardholders against data
fraud, data theft and misuse of personal
information.
4
WHO NEEDS TO BE PCI DSS COMPLIANT?
?PCI DSS applies to all entities who are
involved in the card payment process including
merchants, processors, issuers and service
providers. ?It is also applicable to all
entities who store, process, or transmit
cardholder data and/or sensitive authentication
data. ?PCI-DSS Compliance requires defining
scope and identifying systems that fall in
scope for compliance. ?It is important to note
that Scope cannot be defined based on business
priorities and budget. ?Given below are
systems to which PCI DSS Security requirement may
be applicable. ?System Components ?Systems within
the Network ?Third Party systems ?Every PCI DSS
security requirements/control apply to people,
processes, and technologies that interact with or
impact the security of CHD directly or indirectly.
5
OBJECTIVES OF PCI DSS COMPLIANCE
Maintain  Vulnerability Management Program
Maintain an Information Security Policy
PCI DSS Compliance
Regularly Monitor and Test Networks
Protect Cardholder Data
Implement Strong Access Control Measures
Build and Maintain a Secure Network
6
Understanding PCI DSS Scoping Segmentation
?The PCI Security Standards Council (SCC) in the
year 2016 December released a supplemental guide
for scoping and network segmentation. ?The
purpose of this guide was to help organizations
determine systems in scope for PCI DSS and
understand how segmentation can reduce the number
of in-scope systems. ?The objective is to help
organizations protect their data from potential
risks/threats, which involve targeting system
with fewer security controls and get access to
sensitive card holder data for a possible higher
security systems.
7
PCI DSS SCOPING
?The components that define Scope
are- ?Storage ?Processing ?Transmitting ?Systems/
services/vendors that can impact the security of
the Cardholder Data Environment (CDE) or the Card
Holder Data (CHD).
The PCI Security Standards Council (PCI SSC)
defines scope as that part of your
environment which must meet the control
objectives stated in the PCI Data Security
Standard (DSS)
Any system that stores processes, or transmits
payment card details fall within the scope for
PCI Compliance.
8
PCI DSS Scope Categories
PCI DSS SCOPE CATEGORIES
CONNECTED-TO-SYSTEM IN SCOPE
OUT-OF-SCOPE
IN-SCOPE
Systems that do not store, process, or transmit
cardholder data (CHD) or sensitive authentication
data (SAD). Systems that do not fall in the same
network segment as systems that store, process,
or transmit CHD or SAD. Systems that do not have
direct and indirect access to any system in the
CDE. Systems that do not directly or indirectly
impact security control of CDE. Systems that do
not meet or fall in the criteria described as
connected-to or security- impacting systems.
Systems that are directly involved, connected or
impact the security of the cardholder. Systems
storing, process or transmitting Cardholder Data
(CHD) and Sensitive Authentication Data
(SAD). Systems that do not store, process, or
transmit Cardholder Data, but fall in the same or
adjacent network..
Systems that directly or indirectly connect or
have access to the CDE ( For example a system
connected via a jump server. System that impacts
the configuration or security of the CDE (For
example a server providing name resolution (DNS)
for the CDE). Systems that provide security
services to the CDE (For example identification
authentication server like an Active Directory).
Systems that support PCI DSS requirements or
provide segmentation of the CDE from out-of-scope
systems.
9
Network Segmentation
?Network Segmentation means dividing a network
into smaller sections for better control over the
flow of traffic across network and restrict
confidential data to a specific network
segment. ?The process helps segregate systems
and network that stores/processes/transmits
cardholder data from rest of the computing
processes/information. ?Network Segmentation is
not a mandate but a recommended strategy under
PCI DSS. ?PCI DSS Network Segmentation is one
method an organization can use to scope system
controls for PCI Compliance. ?Segmentation helps
organization implement necessary controls on the
network or system for security purposes.
10
How does Network Segmentation affect PCI Scope?
?As per PCI DSS, for the system to be considered
out-of-scope for PCI DSS, the system component
in question must be systematically and accurately
segmented from the Cardholder Data Environment
(CDE). ?The network segmentation should be done
in a way that even if the out-of-scope system
component is compromised it will not impact the
security of the CDE. ?Network segmentation
helps reduce systems in scope, and thereby
-Reduces the overall Compliance cost.
-Complexity of PCI DSS Compliance process.
-Limit the risk of handling highly sensitive
data in your environment. -Repercussions
of Breach/Data theft/Data misuse.
11
Why is Network Segmentation essential?
Ensures company only store sensitive cardholder
data in specific locations and limit access to
only individuals who need it
Reduces the scope and complexity of
card-processing networks and Data Management
Process
Reduce costs associated with your PCI Assessment
BENEFITS OF NETWORK SEGMENTATION
Prevent out-of-scope systems from overlapping
with systems in the Cardholder Data Environment
Improves Data security and Reduces the
possibility of data breach
Helps to ease in spotting anomalies within each
distinct network
12
Conclusion
?When it comes to scoping for PCI DSS, the best
approach is to assume that everything is in scope
until verified. ?Determining that a system is
out-of-scope does not imply that the system is
secure and needs no protection. ?A system that
does not fall in-scope for PCI DSS may still
pose a threat to the CDE and to the entire
organization. ?Payment card data details are one
set of confidential data that needs to be
secured. However, companies also have a legal
responsibility to protect and secure other
personal data of their clients as well. ?As a
comprehensive measure for securing all
confidential data, PCI DSS is an appropriate
measure to secure not just the data of payment
cardholder, but also other sensitive and
confidential data in an organizations
network/system. ?Implementing best security
control practice will help organizations protect
their infrastructure, and other system components
that are deemed to be out-of-scope as per PCI
DSS requirements
13
Thank YOU
Website https//www.vistainfosec.com/
Email info_at_vistainfosec.com
Social
Get In Touch