In order to clarify scoping and network segmentation principles in PCI DSS, the PCI SSC has released additional guidance in order to help organizations identify what systems are considered in scope for PCI DSS assessments. This guidance was developed by industry experts and the PCI SSC Board of Advisors in order to assist organizations in understanding the principles in PCI DSS.
What is Scoping and Network Segmentation?
Scoping is the identification of people, processes, and technology that interacts with cardholder data (CHD). Network segmentation is the process of limiting exposure by isolating all sensitive information to the systems that process, transmit and store it.
Read more: Understanding PCI DSS Requirement 6.4.6
There is a need to minimize the footprint of cardholder data, as it allows organizations to more readily address security issues. Segmenting your information systems allows you to minimize the amount of effort required when meeting PCI DSS requirements because all of the information that needs to be readily protected is in a single location, instead of across multiple venues.
Network segmentation is not a requirement of PCI DSS, but it is a strongly recommended practice. Improper segmentation can put cardholder data at risk, and thus it is important for organizations to understand segmentation thoroughly. The guidance provides clarification on what items are considered in-scope and out of scope in order to assist organizations in understanding how to better segment their systems.
Guidance for PCI DSS Scoping and Network Segmentation
PCI DSS realized the need for a guidance that clarified scoping and segmentation activities and created The Guidance for PCI DSS Scoping and Network Segmentation. The guidance includes examples of typical scoping activities, PCI DSS scoping categories, descriptions of segmentation implementations for shared services, and situational examples of segmentation implementations for “Connected-to” Shared Services and CDE Administration Workstation outside of the CDE.
This guidance does not replace or supersede any existing requirements in any PCI SSC standard, it is intended to clarify the existing standard in order to allow organizations to better understand segmentation and scoping.
Proper segmentation can assist businesses by reducing the scope and the cost of completing a PCI DSS assessment, and reduce the amount of risk within the organization by limiting cardholder data to specific locations. It is important to remember that because an item determined to be out-of-scope for PCI DSS, does not make it impossible to compromise. It is important for organizations to pay attention to where information is considered both in and out-of-scope to continue to prevent data breaches by taking a holistic approach to information security. This guidance should provide additional clarification to help organizations address these challenges.
Does your organization need assistance in determining how to segment your network for the purpose of PCI DSS scoping? A-LIGN’s Qualified Security Assessors (QSA) are available now to assist you with any of your PCI DSS needs. Contact us today at [email protected] or 888-702-5446.