We recently attended the 2020 PCI North American Community Meeting, a four-day virtual conference dedicated to payment security. Session topics ranged from updates to security standards, to lessons learned and best practices identified by organizations involved in implementing or assessing those standards. One of the topics that we see as a recurring theme in many of our Payment Card Industry (PCI) assessments is network segmentation. Network segmentation occurs when you split a computer network into subnetworks to boost performance and improve security. This practice not only minimizes compliance efforts, but can also greatly enhance the overall security posture of an organization.
Paul Truitt and Mike Brown of SageNet presented an excellent session covering some of the lessons they’ve learned through their work managing firewalls and implementing network segmentation for their customers. This session was useful since we, as assessors, don’t implement the segmentation because we’re actually testing the validity of that control.
Learning about these issues from a different perspective provides valuable insight into the nuances of this practice, and how it can help organizations achieve their compliance and assurance goals. We’ve compiled three key findings from this presentation that institutions should recognize when considering this tool.
Network Segmentation Isn’t a Requirement of PCI DSS
You can still be completely compliant with Payment Card Industry Data Security Standards (PCI DSS) without implementing any segmentation within your networks. However, segmentation can be used to reduce the scope of your Cardholder Data Environment (CDE). If you have a large network, but only a small number of devices are required for interaction with Cardholder Data (CHD), segmentation will greatly reduce the complexity of complying with PCI DSS.
By applying appropriate segmentation, your PCI assessment will focus only on the subset of devices remaining in the PCI segment and those that connect to them. This makes requirements such as system configurations, patching, and penetration testing much easier to manage.
Network Segmentation Doesn’t Eliminate All In-Scope Devices
Even after implementing network segmentation, it’s important to remember that PCI DSS applies to any devices that directly store, process, or transmit CHD, as well as the devices that could impact the security of the first group. This is typically described as devices “one hop” from the direct interaction.
An example of one such system would be the management server for the anti-malware solution installed on the CDE devices. The management server is likely the same one used for controlling all endpoints, and is typically in the corporate network and not directly in the CDE. While this server isn’t storing, processing, or transmitting any CHD, it does have a connection to the devices that are handling CHD, and could impact the security of those devices.
When you’re considering network segmentation, make sure you’re planning for all remote connections in and out of the CDE. Utilizing “connected-to” devices (i.e. devices that use remote access to enter the CDE, but aren’t using an “always-on” VPN connection) can reduce the number of PCI controls required.
Network Segmentation Must be Tested Every 6-12 Months
For service providers, PCI DSS requires segmentation controls be tested (via penetration testing) every six months to confirm they’re functioning as intended (Req. 11.3.4, Service Providers). For merchants, penetration testing must occur every 12 months. This testing is used to validate that segmentation is limiting both inbound and outbound traffic to only those connections required for the documented business processes. The testing should focus on both the exploitation of the devices implementing the network segmentation and the exploiting traffic rulesets that are overly permissive.
For more information on network segmentation best practices, take a look at the Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation recently published by the Payment Card Industry Security Standards Council (PCI SSC).