How Does Network Segmentation Affect PCI Scope?

Isolating your network can increase your security.

Gary Glover, Director of Security Assessments
By: Gary Glover
Note: This post was originally published on March 11, 2015 and has been updated.

What is Network Segmentation? 

Network segmentation is the process of sectioning off one network into smaller segments, or “subnetworks,” in such a way that limits or prevents communication between them. It’s a key security practice for any merchant that wants to protect their cardholder data and reduce their PCI scope. Reducing PCI scope in itself will save time, money, and effort.

When done properly, network segmentation provides controls that limit or stop communication from one subnetwork into another. When done improperly—or not thoroughly enough—hackers may be able to “pivot” from a less-secure area (such as an office zone) into your cardholder data environment (CDE).

In fact, the Target Data Breach of 2013 was possible thanks to a basic network segmentation error. Hackers started by using stolen credentials to log in to a 3rd-party vendor’s application, which was running in a non-CDE area of Target’s network. This area was not properly segmented. The attackers then performed a “pivot attack” and moved into Target’s CDE. From there, they installed malware and siphoned around 40 million credit card numbers from point-of-sale devices.

The PCI DSS Supplement for Scoping & Network Segmentation

To help prevent future data breaches and give additional guidance on this issue, the PCI Security Standard Council (SCC) released a supplemental guide for scoping and network segmentation in December of 2016. The supplement clarifies basic terms related to network segmentation and scoping:

  • In scope: systems directly involved with, connected to, or that impact the security of cardholder data
  • Connected-to: systems that connect to the cardholder data environment (CDE) or are indirectly involved in handling card data
  • Out of scope: systems that do not have access to the CDE

This new supplement also emphasizes the critical importance of including “connected-to” systems in your PCI scope. Overlooking such systems can have huge risks and impacts. As the supplement states, “Compromises of connected-to system components often lead to compromise of the CDE and theft of cardholder data.”

The PCI SCC points out that the CDE environment is really only a starting point when accurately determining your PCI scope. They urge organizations to critically evaluate not only the CDE, but also the flow of cardholder data in and out of the CDE, reminding them that:

  1. Systems located within the CDE are in scope. 
  2. Systems that connect to a system in the CDE are in scope. 
  3. In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.

SEE ALSO: PCI DSS Supplemental Guide to Scope: Understanding PCI DSS Scope and Segmentation

Network Segmentation and PCI Scope

We know that segmentation is important for preventing breaches and hacks, but as mentioned, it’s also very popular among merchants who wish to reduce their PCI scope.

A system is considered “in scope” for PCI DSS if the environment or system components are within a known card data environment, directly connected to the CDE, or can affect the security of the CDE.

Non-segmented environments, or “flat” networks, have their card-processing systems mixed in with back-office systems. In these environments, the entire network is in scope for PCI DSS compliance. This can significantly increase the amount of work needed to secure your business’s network.

And even though flat networks are inherently insecure, many businesses still use them because they are simple to understand and build. Keep in mind, this mentality can result in security risks and increased PCI scope.

SEE ALSO: PCI Scope Categories: Keeping Your Card Data Separate

How to Segment a Network

According to the PCI DSS, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”

Depending on the complexity of your environment, segmenting your network can be quite difficult. Reach out to a QSA to assist you in this endeavor.

Get a quote for network segmentation help from our QSAs.

Here’s the process we use when helping merchants segment their environments.

1. Assign one person/group to learn all places card data flows

To reduce the scope of the CDE, you must understand how your business works, and how all card data flows in your organization. It’s a lot easier to keep track of your scope if one person becomes the expert on all places card data is used or stored.

2. Interview everyone

Your employees probably know about random processes involving data, that no one else would know about. Interview process owners, those with access to data, web developers, and your sales force to gain greater insight into your own card data environment.

For example, accounting departments often have processes for balancing the books or doing charge reversals that may gather credit card data in files on employee workstations, files stored on shared network file servers, or as printed media in big rubber-banded piles thrown in a storage cupboard. Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.

3. Make a data flow diagram

The best way to understand how data flows through your organization is by creating a data flow diagram to help you visually illustrate the location and flows of card data.

Learn how to create data flow diagrams.

4. Use card data discovery tools

Just like debris in a river gets caught in eddies, card data can potentially be deposited on systems that may or may not be directly involved in point-of-sale transactions. This information is virtually impossible to find manually. Tools like the SecurityMetrics PANscan can be used to search computer systems for unencrypted payment data.

SEE ALSO: Is Your Credit Card Data Leaking?

5. Decide how you want to segment

Now that you know where your card data is and how it flows in your environment, you’re ready to look at your network diagram and determine which devices and rules to use to keep information apart.

The most common way to segment is by implementing a piece of dedicated hardware that sits between network zones to limit network traffic, also known as a firewall. The most important part of firewall implementation is configuring the Access Control List (ACL) to define exactly what traffic can pass.

SEE ALSO: PCI Compliant Firewalls: 5 Things You’re Doing Wrong

Although we typically recommend the use of a firewall to segment internal network zones, here are a few other options.

  • Switches: The second most common way to segment is through network switch hardware. Switches are often used internally behind a firewall to help segment network zones. Some switches are capable of having their own set of access control lists that are independent, in addition to firewall rules between zones. Switch ACLs can be used in segmentation but are often a bit more difficult to manage than a dedicated firewall appliance. Only experienced network engineers should set up switch-only internal network segmentation.
  • Air Gap: This type of segmentation starts with two network connections provided by two totally separate Internet providers. If one network is only connected to your processing network, and the other is only connected to back office and other functions, and these segments are not connected, your card environment should be adequately separated.
  • Analog phone lines: If you’re willing to take all your credit card processing offline, the easiest and most foolproof way to segment a network is processing over analog phone lines. No Internet = no network breaches.

6. Consider P2PE…the ultimate segmentation technology

These are the most common ways to achieve segmentation, however; there’s an easier way. Point-to-point encryption (P2PE) technology. P2PE essentially eliminates the need for segmentation (as long as you’re using a validated P2PE solution).

If you use P2PE (and only P2PE) to process credit cards, your entire merchant network is out of scope. No vulnerability scan, firewalls, or logging required for PCI DSS compliance. The only thing in scope for PCI DSS is your swipe device.

Read more about P2PE.

7. Your PCI assessor must verify your segmentation is adequate to reduce your scope

Many businesses think they’ve been properly segmented, when they actually haven’t. Because there are so many variables (how your network is configured, what technologies you deploy, the controls you have to secure data, ports open between zones, etc.) it’s important to get verified by a QSA during your PCI audit.

Analysis: no pain, no gain

Network segmentation requires investment in terms of time, effort, and funds. However, it’s the best way to reduce your PCI scope, and one of the best ways to keep your business secure.

We'd love to help you with your organization’s segmentation. Speak to a specialist.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

HIPAA Business Associate Agreements 101

business associate agreement, hipaa

HIPAA requires Business Associate Agreements. Learn the who, what, why and how of these important contracts.   

By: Ryan Marshall
HIPAA Fulfillment Manager
When it comes to patient data protection, covered entities and business associates share a dual responsibility. But each has their respective roles. A business associate agreement (BAA) is a contract required for any business associate that receives patient data from either a covered entity, or from another business associate. Read more to learn the basics and understand the elements of this agreement.

First, the differences between covered entities (CE) and business associates (BA):

What is a covered entity?

    business associate agreement, hipaa
  • Health Plan: health insurance company 
  • Healthcare Clearinghouse: data aggregation companies that take data from a nonstandard format and convert it into a standard format 
  • Healthcare providers: physicians, pharmacies, homeopathic providers, prosthetic/orthotic providers

What is a business associate?

  • A business associate creates, receives, maintains or transmits protected health information (PHI) from or on behalf of a covered entity.
  • “Downstream” entities, i.e., subcontractors of business associates who may deal with patient data, are also technically considered business associates. They have the same liabilities as a BA, and the BA to which they’re subcontracted is responsible for management of their agreement.  
  • There are exceptions: 
    • The transfer of data between two covered entities, each acting in their primary role as a covered entity (for instance, with provider referrals or insurance claims) is not considered a business associate relationship.
    •  Law enforcement and government agencies may request PHI, but they are not considered business associates. 
SEE THIS: Business Associate Decision Tree.

Important to understand: covered entity liability

CEs are responsible for knowing who their business associates are, and having proper agreements in place. They’re responsible for drafting BAAs that meet their own requirements, as well as HIPAA requirements. The business associate responsibility includes adhering to whatever is in the contract, but the CEs must personally take measures to check on their BA’s patient data handling processes and security measures.

Even with the agreement in place, there’s still a shared liability between a covered entity and a business associate. If the covered entity drafts and signs the best possible agreement, and keeps it up to date—but doesn’t monitor compliance, there isn’t a high level of protection from data breaches and fines. And, in the event of a data breach, covered entities will be required to show that they’ve done their due diligence and given best efforts to prevent the breach.

Remember that while a properly executed business associate agreement will transfer most of the financial liability of a BA’s data breach to the BA itself, there remains the ever-present risk of damage to the covered entity’s public reputation.


What’s in a business associate agreement?

HIPAA, business associate agreementFirst of all, realize that you definitely need to know the ins and outs of what’s in (and should be in) a business associate agreement. Most covered entities use a business associate agreement template, which is fine and even recommended. But regardless of who created it, you need to know what’s in it.

Some of the required elements:

  • Permissible and required disclosures: what the business associate can and can’t do with the data, as well as what they’re required to do with the data
  • Reference to “downstream” subcontractors: ensure that they are responsible to abide by same terms as the BAs
  • BA’s duty to safeguard the data: with reference to the security rule 
  • Reporting obligations: BA’s responsibility to notify CE of impermissible disclosures, which could include a data breach incident 
  • Termination clause: CE can terminate contract for violation of terms, and in the event of termination, the BA must return or destroy the data  

Elements that aren’t legally required but are still good to have:

  • A “right to audit” clause: gives the covered entity right to monitor the business associate’s compliance with BAA
  • Indemnification clause: each party will take respective responsibility for any financial harm caused
  • Expiration dates: if you don’t regularly review your BAAs, they may have expiration dates of which you’re unaware. This puts them at risk of becoming invalid. Does HIPAA require expiration dates on business associate agreements? No. The agreements can be in force indefinitely. However, it’s crucial that you check on them periodically, so expiration dates are a great way to force the action of review. 

The “Minimum Necessary” Rule

This requirement is found in the HIPAA Privacy Rule and supports the foundational principle that parties shouldn’t create, use, disclose, or transfer more information than is needed to complete the task.

Many BAs believe that the covered entity takes care of the minimum necessary requirement. But, the business associate also has the responsibility to request and use only the minimum amount of information required to perform the task.

SEE ALSO: HIPAA Business Associate Agreement; Who's Really Responsible? 

Contract Negotiation

Sometimes business associates want to change parts of the agreement. Or, a larger organization might have a standard contract and won’t sign anyone’s but their own. In these cases, you can find yourself at a sticking point. Where do you dig in your heels and where do you give a little leeway?

If you find yourself in this situation:
  • Create a checklist of items to address 
  • Understand that required elements are not negotiable 
  • Identify objectives and prioritize them to avoid getting stuck on non-important issues 
If a business associate is not going to comply with certain things, that’s a good indication as to whether or not you should work with them.

HIPAA regulations require you to take action if you know or believe a business associate is not HIPAA compliant. And, covered entities should remember that they have purchasing power in relation to a business associate. In a recent SecurityMetrics poll, we asked covered entities if they would work with a business associate who would not sign a BAA. 100% of respondents answered, “no.”

HIPAA Compliance

Even if a business associate does not consider itself to be “within” the healthcare industry, the reality is that if they store, process, transmit, maintain and/or touch protected health information in any way—they must be HIPAA compliant. Covered entities may catch more heat from data breaches, but business associates are also legally bound to protect PHI.

The business associate agreement is the starting point for the covered entity-business associate relationship. It defines roles, places responsibilities, and—if properly followed + maintained—ultimately helps keep protected health information safe and secure.

Ryan Marshall (CISSP, HCISPP) is the HIPAA fulfillment manager at SecurityMetrics. He has worked in data security for eight years, and has specialized in HIPAA, healthcare reliance, and HIPAA regulations for three years.

PCI Requirement 10: Logging and Log Monitoring

Learn the ins and outs of log monitoring at your business.
By: George Mateaki
Security Analyst

How much do you know about logs? Do you have someone track them? Log monitoring is actually crucial to finding potential holes in your security.
Tweet: Log monitoring is actually crucial to finding potential holes in your security. #datasecurity #databreach #pci #systemlogsTweet

System event logs are recorded tidbits of information regarding the actions taken on computer systems like firewalls, office computers, printers, etc.

Log monitoring systems (e.g., Security Information and Event
Management [SIEM] tools) oversee network activity, inspect system events, alert of suspicious activity, and store user actions that occur inside your systems. They are your watchtower lookout and can provide the data that warns you of a data breach. The raw log files are also known as audit records, audit trails, or event logs.

Most systems and software generate logs, including operating systems, Internet browsers, POS systems, workstations, anti-malware, firewalls, and Intrusion Detection Security (IDS) devices. Some systems with logging capabilities don’t automatically enable logging, so it’s important to make sure all systems have logs turned on. Some systems generate logs but don’t provide event log management solutions. Make sure you know your system capabilities and consider installing third-party log monitoring and management software.

Establish log management

Businesses should review their logs daily to search for errors, anomalies, or suspicious activity that deviates from the norm.

system logs, logging, log monitoringA log alert acts as a red flag when something potentially bad is happening in your system. Given the large of amount of log data that’s generated by systems, it’s impractical (and likely impossible) to manually review all logs each day. Log monitoring software takes care of that task by using rules to automate log review and only alert on events that might reveal problems. This is often done using real-time reporting software that alerts you through email or text when suspicious actions are detected.

SEE ALSO: The Importance of Log Management

Log monitoring software often comes with default alerting templates. However, because not everyone’s network and system designs are the same, it’s critical to take time to correctly configure your alerting rules.

Log management system rules

Here are some actions to consider when setting up your log management system rules:

  • Password changes 
  • Unauthorized logins 

  • Login failures 

  • New login events 

  • Malware detection 

  • Malware attacks seen by IDS 

  • Scans on your firewall’s open and closed ports 

  • Denial of service attacks 

  • Errors on network devices 

  • File name changes 

  • File integrity changes 

  • Data exported 

  • New processes started or running processes stopped 

  • Shared access events 

  • Disconnected events 

  • New service installation 

  • File auditing 

  • New user accounts 

  • Modified registry values 

Make the most of log management; make sure you have these log security steps in place:
    system event logs, log management
  • Decide how and when to generate logs 

  • Secure your stored logs so they aren’t maliciously altered by cybercriminals or accidentally altered by well-intentioned employees 

  • Assign an employee you trust to review logs daily 

  • Set up a team to review suspicious alerts 

  • Spend time to create rules for alert generation (don’t just rely on a template) 

  • Store logs for at least one year, with three months readily available 

  • Frequently check log collection to identify necessary adjustments 

Regular log monitoring means a quicker response time to security events and better security program effectiveness. Not only will log analysis and daily monitoring demonstrate your willingness to comply with PCI DSS requirements, it will also help you defend against insider and outsider threats. 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

Need help with PCI compliance? Talk to us!

 How Much Does a Pentest Cost?

Ethical hacking is a great way to discover where your business security fails.

Note: This post was originally published on April 15, 2015 and has been updated.

By: Gary Glover
VP Security Assessments
Your company may have the technology in place to prevent data theft, but is it enough? How do you prove it? The most accurate way to know if you’re safe from a hacker is through live penetration testing, also called pen testing, or ethical hacking.

What is penetration testing?

To beat a hacker, you have to think like a hacker. Penetration test analysts analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors) just like a hacker would. Basically, they try to break into your company’s network to find security holes.

The Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 requires both an internal and external penetration test, so most companies regularly receive penetration tests to comply with that requirement. But penetration testing isn’t limited to the PCI DSS. Any company can request a penetration test whenever they wish to measure their business security.

The time it takes to conduct a pen test varies based on the size of a company’s network, the complexity of that network, and the individual penetration test staff members assigned. A small environment can be done in a few days, but a large environment can take several weeks.

Vulnerability scanning and penetration testing are different. 

Some people mistakenly believe vulnerability scanning or antivirus scans are the same as a professional penetration test. Even some companies tout ‘penetration testing services’ when in fact, they only offer vulnerability scanning services. As a general rule, any ‘pen test’ that is listed for less than $4,000 is probably not a real penetration test.

An external vulnerability scan is an automated, affordable, high-level test that identifies known weaknesses in network structures. Some are able to identify more than 50,000 unique external weaknesses.

Here are the two biggest differences. A vulnerability scan is automated, while a penetration test includes a live person actually digging into the complexities of your network. A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to identify, then attempt to exploit those vulnerabilities to gain access to secure systems or stored sensitive data.

See the difference now?

Learn about SecurityMetrics’ vulnerability scanning services here.

What’s the cost of a pen test?

With any business service, cost varies quite a bit based on a set of variables. The following are the most common variables to affect the cost of penetration testing services:

  • Complexity: the size and complexity of your environment and network devices are probably the biggest factors of your penetration test quote. A more complex environment requires more labour to virtually walk through the network and exposed web applications looking for every possible vulnerability.
  • Methodology: each pen tester has a different way they conduct their penetration test. Some use more expensive tools than others, which could increase the price. But more expensive tools could reduce the time of your test, and produce higher quality results.
  • Experience: pen testers with more experience will be more expensive. Just remember, you get what you pay for. Beware of pen testers that offer prices that are too good to be true. They probably aren’t doing a thorough job. I suggest looking for penetration testers with credentials behind their name like CISSP, GIAC, CEH, or OSCP.
  • Onsite: most penetration tests can be done offsite, however; in rare cases that involve very large/complex environments, an onsite visit could be required to adequately test your business security. Onsite visits are also required if you request a physical security or social engineering penetration test.
  • Remediation: some pen testers include remediation assistance and/or retesting in their price. Others provide test results and disappear.
Penetration tests are worth it, every time.
Learn more about SecurityMetrics’ penetration testing.

With everything above accounted for, typically penetration tests start around $4,000 but can rise to well above $20,000.

No better way to test your security systems. 

If you think that price is unreasonable, think of this: a hacker only needs one hole to get into your network and steal data. A pen tester works hard to find as many holes as possible that could allow you to be compromised. You are paying a professional team to manually look through the nooks and crannies of your business to determine what’s exploitable.

There is no better way to test the actual effectiveness of your security systems than borrowing the skills of an experienced penetration test team.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is VP of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

Need help with securing your data? Talk to one of our consultants!

SAQ D: What’s Required for Service Providers

 Learn About PCI Compliance for Service Providers. 

By: Michael Simpson
Security Analyst
If you are a service provider who stores credit card data, PCI SAQ D likely applies to you. Service providers that process less than 300,000 card transactions may use SAQ D or submit a Report on Compliance (ROC). If service providers process more than 300,000, they are required to do a ROC.

What qualifies as a service provider? 

pci saqd, service provider, vulnerability scan
A service provider is a business entity that isn’t a payment brand, and is directly involved in the processing, storage, or transmission of cardholder data on behalf of another business. This also includes companies that provide services that control or could impact the security of cardholder data. 

If a service provider handles card data, it is required to be compliant with the PCI DSS to ensure that data is protected. Here are a few scenarios that would require a service provider to get PCI compliant: 

  • A service provider handles card data on behalf of another business 
  • Service provider provides managed firewalls used in another entity’s cardholder data environment 
  • A service provider that hosts a business’s e-commerce environment/website
Basically, if a business handles card data at any point, it needs to be fully compliant with the PCI DSS. 

What does the PCI SAQ D require of service providers?

Here are a few requirements for service providers who fill out PCI SAQ D.

Quarterly external scan

Service providers should have their network scanned for vulnerabilities at least quarterly, and after any significant change by an Approved Scanning Vendor (ASV). 

Penetration test

pci saq d, service provider, vulnerability scan By February 1, 2018, service providers that use segmentation to isolate the cardholder data environment from other networks, must perform penetration testing on segmentation controls (also known as a segmentation check) at least every 6 months and after any changes to segmentation controls/methods.

This penetration testing should be performed by a qualified internal resource or third party. If an internal resource is used, the tester should have organizational independence (though they aren’t required to be a QSA or ASV). The purpose of penetration testing segmentation controls/methods is to verify that the cardholder data environment is protected from unauthorized access.

Quarterly internal scan

Internal vulnerability scans should be performed quarterly. An internal vulnerability scan looks for network vulnerabilities locally (from the inside looking in), similarly to motion detectors inside your house. 

If an attacker is able to leverage an externally-facing vulnerability to gain some level of access to an internal device, they can then pivot and attack other systems within the corporate network from their newly acquired internal attack point. Service providers must regularly perform internal scans and remediate findings to help prevent the scope and severity of a breach. There are a variety of tools to help service providers comply with the internal vulnerability scan requirement. For example, you can:

  • Purchase an internal vulnerability scanning appliance from your ASV, or another service provider
  • Download an open source internal vulnerability scan tool from the Internet
  • Purchase and download Nessus 

Keep in mind the tool you use will still need to be configured by an expert after you purchase or download it. If you purchase an appliance, IT support service is typically included in the purchase. If you choose to use open-source scanning software, plan on spending more time researching best practice configuration tips through online forums.

Attestation of Compliance (AOC) form 

An AOC form is a document that’s completed by a Qualified Security Assessor to declare that the organization is PCI compliant.  Service providers should have this form as proof that they are compliant with the PCI DSS. 

Additional tips for service providers

  • Segment networks: keeping the card data environment separate from the rest of your network can save you a lot of time and expense on your PCI compliance initiative
  • Document policies: make sure all of your security policies are properly documented, since it will help you drive good security practices and reduce liability in the event of a breach
  • Work with an expert: If you’re not familiar with the PCI DSS or security practices in general, it’s a good idea to talk to a Qualified Security Assessor to see what needs to be done.

Need help with PCI? Talk to us! 

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.