PCI Compliance & Network Segmentation


Network segmentation is usually the foundation of the compliance journey of Payment Card Industry Date Security Standard (PCI DSS). Proper segmentation creates controls dedicated to the security needs of the data.

You have to comprehend the objectives and purposes of the standards to effectively meet the requirements of the PCI network segmentation. Without meeting basic network segmentation yardsticks, your company cannot claim to be compliant with the industry’s data protection policy.

What is a cardholder data environment?

The Payment Card Industry describes cardholder data as any data that identifies a person’s debit or credit card. Examples are the cardholder name, primary account number, service code, expiration date and other sensitive credentials.

Cardholder data (CHD) is any data that anyone could employ to steal, falsely identify or fraudulently charge the account. Its environment is any networked or computerized systems that keep, process or convey this information.

CHD environment is any physical or virtual within servers, network devices, computers, storage devices and applications connected to the CDE. Where employees or computers can access or copy CHD, the environment must be kept separately from your company’s ordinary environment.

What is network segmentation according to PCI DSS?

You have to check how data travels in your company’s systems to understand network segmentation. If CDE is a river with multiple access points, then the CHD is the kayak that navigates the waters.

Cardholder data is meant to float on the network so smoothly that it does not drown, get stuck midway or be compromised by pirates along the river. Connectivity can either be physical, wireless or virtualized.

Examples of its ecosystem are hard disk drives, flash disks, and wireless or Bluetooth connections. Network segmentation can be summed up the thorough measurement of all hardware, software, networks, connections and human resources where cardholder data exists or occurs.

How companies can scope systems

Critical evaluation is needed for PSO DSS scoping to occur. There have to careful analysis of different data access points that are your river’s tributaries. You need to start with checking where or how CHD occurs.

Payment points and methods of accepting cardholder data should be thoroughly checked. After that, find and bookmark places where storage, processing, and transmission of data happens. This procedure requires careful understanding of technologies, processes and who handles them.

When you have monitored the flow of information through the networks, it is time to incorporate people, system components, and processes that influence CDE. Unlike the previous step, you will need to veer inside people who handle data here.

After tracking your data river, next is protecting the information by creating access controls. Of importance is the determination of the limiting of information routes. It is like building dams to control the flow of water down the river.

This procedure requires firewalls, encryption systems, and other controls. Once you have controlled access and delivery, ensure that the segmentation runs across all processes, system components and personnel. More importantly, check how your CDE evolves and make changes efficiently.

What out-of-scope systems exist?

Payment Card Industry Security Standard Council often referred to as PCI SSC describes out of scope systems as those networks with no CDE system access, making it increasingly difficult to find out of scope systems.

The council requires that out-of-scope systems should not contain, transmit or process cardholder data, and must not connect to networks that touch cardholder data. Similarly, these should not gain access or impact CDE’s control or meet any criteria discussed above.

The trees that grow in your neighboring forest are in scope of your kayak because their roots touch the same ground on which your river flows. For this reason, you have to think very critically before declaring a system out-of-stock.

Can companies transfer their risk through third party service providers?

Within the security standards, compliance of your company’s PCI security is service providers and third parties. Think of these as the rangers in the forest, protecting the interests of original parties.

Examples are companies providing support services remotely, business partners and other parties that engage with your cardholder ecosystem, making it vulnerable. A forest ranger can choose to cut a branch to pave way for water rafts, but his seemingly advantageous deeds could jeopardize the health of the tree.

Therefore, you must investigate third party involvement and monitor how their support impacts your PCI DSS. Monitor the services they provide very carefully. Enter into a contract that demarcates the PCI DSS requirements that all third parties cover.

All third parties such as service providers must prove compliance. You can have a competent qualified security assessor also called QSA to check the services of all third-party support annually. Alternatively, let third parties submit compliance reports.

Ensure that all criteria of PCI DSS network segmentation have been captured in your contract with the service providers.

If cardholder data is compromised by the actions of third parties, you defend your company using the terms printed in