Network segmentation is a practice that can dramatically lower the time, effort and cost of a PCI DSS assessment. Not only is it an industry best practice for security cardholder data, but it’s also an effective way of controlling the annual commitment of meeting your PCI compliance requirements. Here’s how network segmentation works, as well as some key best practices for using network segmentation to reduce the scope of your PCI assessment.
What is network segmentation?
Network segmentation is the practice of creating sub-networks within a company’s larger network in order to contain malware and other threats, as well as to make the network perform more efficiently.
In general, network segmentation enables better control of the flow of information across the network. This practice empowers business IT teams to secure separate systems that serve different business purposes and to tailor security controls depending on the information used in each smaller network.
As it relates to PCI DSS, network segmentation involves isolating the cardholder data environment from the rest of the business’s network. Essentially, it means that your business keeps any private cardholder data restricted to a specific network segment. If one part of your business is compromised by a hacker, the chances of them accessing all of your system are significantly diminished.
Network segmentation is not a PCI DSS requirement. However, the PCI Council strongly recommends network segmentation as a method to:
- Reduce the scope of the PCI DSS assessment
- Lower the cost of the assessment
- Minimize the difficulty of maintaining PCI DSS controls
Though there is no PCI DSS network segmentation requirement, it’s still strongly recommended as a cost-saving measure. “[If] you are processing credit card data and you can segment the portion containing credit card data, and the rest of the network does not include credit card data. Only the segment of the network you allocated falls under PCI DSS. This way, you can only apply the PCI DSS requirements for this network segment,” wrote the experts at PCI DSS Guide.
PCI DSS network segmentation scope
PCI network segmentation helps businesses avoid the risk of “out-of-scope systems” interacting with the cardholder data environment (CDE) systems. The PCI Council categorizes systems into three categories:
- In scope: systems directly involved with, connected to, or that impact the security of cardholder data
- Connected-to: systems that connect to the CDE or are indirectly involved in handling card data
- Out of scope: systems that do not have access to the CDE
Out-of-scope systems are defined as those that don’t hold, transmit or use any cardholder data). These systems are considered untrusted (or “public”) as there is no assurance that they have been properly secured. If they are connected to the same network (or subnet or VLAN) as a system that is subject to PCI DSS security, controls must be in place to prevent the out-of-scope system from gaining access to the CDE.
Simply put, if network segmentation has been correctly set up, cardholder data won’t be compromised if one out-of-scope system is compromised. In scope systems and connected-to systems, however, require PCI DSS compliance.
PCI network segmentation best practices
With these three categories in mind, it’s possible to begin network segmentation to isolate cardholder data and reduce the scope of your PCI DSS assessment.
The first step in PCI network segmentation is to map how cardholder data flows through your organization. This process involves interviewing stakeholders throughout the organization — such as accounting, sales and finance — to learn where they store, use and send cardholder data. Learn about the file formats, devices, servers and cloud programs (like Slack) that each team uses to share and analyze cardholder data.
Once you understand how data flows, you can begin to segment systems to keep information isolated.
“The most common way to segment is by implementing a piece of dedicated hardware that sits between network zones to limit network traffic, also known as a firewall,” wrote one security expert.
Firewalls are required as part of PCI DSS compliance. In addition, you may also consider using these tools and tactics with your in-scope and connected-to systems:
- Intrusion detection and prevention systems (IDS / IPS) that prevent connection attempts from out-of-scope systems.
- Physical access controls that give access to only designated users
- Logical access controls that allow only specified users to log on
- Multi-factor authentication
- Restricting administrative access privileges to specified users, systems, or networks
IT teams should also actively monitor systems for any sign that an out-of-scope system is trying to gain access to a CDE.
For cloud programs, data loss prevention tools are an important component for maintaining cardholder data security. Nightfall’s cloud DLP solution can help you first discover and classify sensitive PII and PCI data that must be protected. Nightfall uses machine learning detectors individually trained to identify specific types of cardholder data that is protected by PCI compliance regulations.
And, the platform provides a way to quickly remediate any security issues by notifying admins and quarantining or deleting data. This reduces the risk of losing or exposing sensitive customer data.
Learn how Nightfall can help achieve PCI DSS compliance by setting up a demo at the link below.