Isolating your network can increase your security.

Gary Glover, Director of Security Assessments
By: Gary Glover
Note: This post was originally published on March 11, 2015 and has been updated.

What is Network Segmentation? 

Network segmentation is the process of sectioning off one network into smaller segments, or “subnetworks,” in such a way that limits or prevents communication between them. It’s a key security practice for any merchant that wants to protect their cardholder data and reduce their PCI scope. Reducing PCI scope in itself will save time, money, and effort.

When done properly, network segmentation provides controls that limit or stop communication from one subnetwork into another. When done improperly—or not thoroughly enough—hackers may be able to “pivot” from a less-secure area (such as an office zone) into your cardholder data environment (CDE).

In fact, the Target Data Breach of 2013 was possible thanks to a basic network segmentation error. Hackers started by using stolen credentials to log in to a 3rd-party vendor’s application, which was running in a non-CDE area of Target’s network. This area was not properly segmented. The attackers then performed a “pivot attack” and moved into Target’s CDE. From there, they installed malware and siphoned around 40 million credit card numbers from point-of-sale devices.

The PCI DSS Supplement for Scoping & Network Segmentation

To help prevent future data breaches and give additional guidance on this issue, the PCI Security Standard Council (SCC) released a supplemental guide for scoping and network segmentation in December of 2016. The supplement clarifies basic terms related to network segmentation and scoping:

  • In scope: systems directly involved with, connected to, or that impact the security of cardholder data
  • Connected-to: systems that connect to the cardholder data environment (CDE) or are indirectly involved in handling card data
  • Out of scope: systems that do not have access to the CDE

This new supplement also emphasizes the critical importance of including “connected-to” systems in your PCI scope. Overlooking such systems can have huge risks and impacts. As the supplement states, “Compromises of connected-to system components often lead to compromise of the CDE and theft of cardholder data.”

The PCI SCC points out that the CDE environment is really only a starting point when accurately determining your PCI scope. They urge organizations to critically evaluate not only the CDE, but also the flow of cardholder data in and out of the CDE, reminding them that:

  1. Systems located within the CDE are in scope. 
  2. Systems that connect to a system in the CDE are in scope. 
  3. In a flat network, all systems are in scope if any single system stores, processes, or transmits account data.

SEE ALSO: PCI DSS Supplemental Guide to Scope: Understanding PCI DSS Scope and Segmentation

Network Segmentation and PCI Scope

We know that segmentation is important for preventing breaches and hacks, but as mentioned, it’s also very popular among merchants who wish to reduce their PCI scope.

A system is considered “in scope” for PCI DSS if the environment or system components are within a known card data environment, directly connected to the CDE, or can affect the security of the CDE.

Non-segmented environments, or “flat” networks, have their card-processing systems mixed in with back-office systems. In these environments, the entire network is in scope for PCI DSS compliance. This can significantly increase the amount of work needed to secure your business’s network.

And even though flat networks are inherently insecure, many businesses still use them because they are simple to understand and build. Keep in mind, this mentality can result in security risks and increased PCI scope.

SEE ALSO: PCI Scope Categories: Keeping Your Card Data Separate

How to Segment a Network

According to the PCI DSS, “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”

Depending on the complexity of your environment, segmenting your network can be quite difficult. Reach out to a QSA to assist you in this endeavor.

Get a quote for network segmentation help from our QSAs.

Here’s the process we use when helping merchants segment their environments.

1. Assign one person/group to learn all places card data flows

To reduce the scope of the CDE, you must understand how your business works, and how all card data flows in your organization. It’s a lot easier to keep track of your scope if one person becomes the expert on all places card data is used or stored.

2. Interview everyone

Your employees probably know about random processes involving data, that no one else would know about. Interview process owners, those with access to data, web developers, and your sales force to gain greater insight into your own card data environment.

For example, accounting departments often have processes for balancing the books or doing charge reversals that may gather credit card data in files on employee workstations, files stored on shared network file servers, or as printed media in big rubber-banded piles thrown in a storage cupboard. Customer service representatives may take credit card numbers over the phone or view full card numbers, so watch for handwritten or printed card data.

3. Make a data flow diagram

The best way to understand how data flows through your organization is by creating a data flow diagram to help you visually illustrate the location and flows of card data.

Learn how to create data flow diagrams.

4. Use card data discovery tools

Just like debris in a river gets caught in eddies, card data can potentially be deposited on systems that may or may not be directly involved in point-of-sale transactions. This information is virtually impossible to find manually. Tools like the SecurityMetrics PANscan can be used to search computer systems for unencrypted payment data.

SEE ALSO: Is Your Credit Card Data Leaking?

5. Decide how you want to segment

Now that you know where your card data is and how it flows in your environment, you’re ready to look at your network diagram and determine which devices and rules to use to keep information apart.

The most common way to segment is by implementing a piece of dedicated hardware that sits between network zones to limit network traffic, also known as a firewall. The most important part of firewall implementation is configuring the Access Control List (ACL) to define exactly what traffic can pass.

SEE ALSO: PCI Compliant Firewalls: 5 Things You’re Doing Wrong

Although we typically recommend the use of a firewall to segment internal network zones, here are a few other options.

  • Switches: The second most common way to segment is through network switch hardware. Switches are often used internally behind a firewall to help segment network zones. Some switches are capable of having their own set of access control lists that are independent, in addition to firewall rules between zones. Switch ACLs can be used in segmentation but are often a bit more difficult to manage than a dedicated firewall appliance. Only experienced network engineers should set up switch-only internal network segmentation.
  • Air Gap: This type of segmentation starts with two network connections provided by two totally separate Internet providers. If one network is only connected to your processing network, and the other is only connected to back office and other functions, and these segments are not connected, your card environment should be adequately separated.
  • Analog phone lines: If you’re willing to take all your credit card processing offline, the easiest and most foolproof way to segment a network is processing over analog phone lines. No Internet = no network breaches.

6. Consider P2PE…the ultimate segmentation technology

These are the most common ways to achieve segmentation, however; there’s an easier way. Point-to-point encryption (P2PE) technology. P2PE essentially eliminates the need for segmentation (as long as you’re using a validated P2PE solution).

If you use P2PE (and only P2PE) to process credit cards, your entire merchant network is out of scope. No vulnerability scan, firewalls, or logging required for PCI DSS compliance. The only thing in scope for PCI DSS is your swipe device.

Read more about P2PE.

7. Your PCI assessor must verify your segmentation is adequate to reduce your scope

Many businesses think they’ve been properly segmented, when they actually haven’t. Because there are so many variables (how your network is configured, what technologies you deploy, the controls you have to secure data, ports open between zones, etc.) it’s important to get verified by a QSA during your PCI audit.

Analysis: no pain, no gain

Network segmentation requires investment in terms of time, effort, and funds. However, it’s the best way to reduce your PCI scope, and one of the best ways to keep your business secure.

We'd love to help you with your organization’s segmentation. Speak to a specialist.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.