Isolating your network can increase your security.
|By: Gary Glover|
SEE ALSO: PCI DSS Supplemental Guide to Scope: Understanding PCI DSS Scope and Segmentation
Unfortunately many merchant networks are not designed with network segmentation or security in mind. They are designed for ease-of-use.
This post is a response to questions we’ve received about how to achieve network segmentation in an environment for increased security and decreased PCI DSS scope.
SEE ALSO: Finding and Reducing PCI Scope: How to Make Compliance Easier
What is network segmentation?Network segmentation is a method of separating environment systems that store, process, or transmit cardholder data from those that don’t. While not specifically a PCI DSS requirement, network segmentation is very popular among merchants wishing to reduce their PCI scope. Something is ‘in scope’ for PCI DSS if the environment or system components are within a known card data environment (CDE), or directly connected to the CDE, or can effect the security of the CDE.
According to the PCI DSS version 3.0, segmenting may reduce:
- The scope of the PCI DSS assessment
- The cost of the PCI DSS assessment
- The cost and difficulty of implementing and maintaining PCI DSS controls
- The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)
Even though they are inherently insecure, many businesses use flat networks because they are extremely simple to understand and build.
Achieving segmentationAccording to the PCI DSS, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
Depending on the complexity of your environment, segmenting your network can be quite difficult. I suggest reaching out to a QSA to assist you in this endeavour.
Get a quote for network segmentation help from our QSAs.
In case you’re curious as to how a network is segmented, here’s the process I use when helping merchants segment their environments.
1. Assign one person/group to learn all places card data flowsTo reduce the scope of the cardholder data environment, you must understand how your business works, and how all card data flows in your organization. It’s a lot easier to keep track of your scope if one person becomes the expert on all places card data is used or stored..
2. Interview everyoneYour employees probably know about random processes where data exits that no one else knows about. Interview process owners, those with access to data, web developers, and your sales force to gain greater insight into your own card data environment.
For example, accounting departments often have processes for balancing the books or doing charge reversals that may gather credit card data in files on employee workstations, files stored on shared network file servers, or as printed media in big rubber banded piles thrown in a storage cupboard. Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.
3. Make a data flow diagramThe best way to understand how data flows through your organization is by creating a data flow diagram to help you visually illustrate the location and flows of card data.
Learn how to create data flow diagrams
4. Use card data discovery toolsJust like flotsam in a river gets caught in eddies, card data can potentially be deposited on systems that may or may not be directly involved in point of sale transactions. This information is virtually impossible to find manually. Tools like SecurityMetrics PANscan (try PANscan for free!) can be used to search computer systems for this hidden data.
SEE ALSO: Is Your Credit Card Data Leaking?
5. Decide how you want to segmentNow that you know where your card data is and how it flows in your environment, you’re ready to look at your network diagram and determine which devices and rules to use to keep information apart.
The most common way to segment is by implementing a piece of dedicated hardware that sits between network zones to limit network traffic, also known as a firewall. The most important part of firewall implementation is configuring the Access Control List (ACL) to define exactly what traffic can pass.
SEE ALSO: PCI Compliant Firewalls: 5 Things You’re Doing Wrong
Although I typically recommend the use of a firewall to segment internal network zones, here are a few other options.
- Switches: The second most common way to segment is through network switch hardware. Switches are often used internally behind a firewall to help segment network zones. Some switches are capable of having their own set of access control lists that are independent, in addition to firewall rules between zones. Switch ACLs can be used in segmentation but are often a bit more difficult to manage than a dedicated firewall appliance. I recommend only experienced network engineers should set up switch-only internal network segmentation.
- Air Gap: This type of segmentation starts with two network connections provided by two totally separate Internet providers. If one network is only connected to your processing network, and the other is only connected to back office and other functions, and these segments are not connected, your card environment should be adequately separated.
- Analog phone lines: If you’re willing to take all your credit card processing offline, the easiest and most foolproof way to segment a network is processing over analog phone lines. No Internet = no network breaches.
|Example: Isolating a payment network.|
6. Consider P2PE…the ultimate segmentation technologyNow that you know the most common ways to segment, I’ll let you in on a little secret. There’s an easier way. Point-to-point encryption (P2PE) technology essentially eliminates the need for segmentation (as long as you’re using a validated P2PE solution).
If you use P2PE (and only P2PE) to process credit cards, your entire merchant network is out of scope. No vulnerability scan, firewalls, or logging required for PCI DSS compliance. The only thing in scope for PCI DSS controls is your swipe device.
Read more about P2PE
7. Your PCI assessor must verify your segmentation is adequate to reduce your scopeAs an assessor, I see many businesses that think they’ve properly segmented, when they actually haven’t. Because there are so many variables (how your network is configured, what technologies you deploy, the controls you have to secure data, ports open between zones, etc.) it’s important to get verified by a QSA during your PCI audit.
Analysis: no pain, no gainIn most instances, network segmentation is extremely difficult. However, it is the best way to reduce your PCI scope, and one of the best ways to keep your business secure.
I’d love to help you with your organization’s segmentation. Schedule a call with me here.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.