PCI-DSS is the set of security standards that seeks to extend consistent data protection practices across the credit processing industry. Any organization handling credit card data must comply with PCI-DSS regulations.
PCI-DSS compliance places a major burden on businesses, especially small and medium-sized enterprises. But companies can reduce the cost of compliance by intelligently scoping their credit processing environment.
Segmentation allows IT teams to apply network segmentation to protect credit card data while reducing the need to secure less critical system components.
This blog will introduce network segmentation in PCI-DSS. We will look at how segmentation works and how it contributes to robust financial sector cybersecurity strategies.
What is network segmentation?
Network segmentation separates network resources to control access and enhance security. In the context of PCI-DSS, network segmentation divides the cardholder data environment (CDE) from other system components.
Separating the cardholder data environment from other resources allows businesses to secure cardholder data. This is a major challenge of cybersecurity in finance. With proper segmentation, hackers will struggle to move from off-scope endpoints and apps to the CDE. Data breaches are much less likely.
Segmentation is not a PCI-DSS requirement. It complements other compliance tools such as encryption, access management, and firewall protection. If you have any doubts about core requirements, check out our PCI-DSS compliance checklist for more information.
However, the PCI Security Standards Council (SSC) has issued guidance advising companies to employ segmentation if possible.
As the SSC says, “Effective segmentation can greatly reduce the risk of CDE systems being impacted by security weaknesses or compromises originating from out-of-scope systems.” But it is not a magic bullet. Segmentation must work with other technologies and controls to achieve PCI-DSS compliance.
Understanding PCI DSS network segmentation scope
When discussing network segmentation for PCI-DSS, it’s important to assess the “scope” of controls required.
Scope refers to the extent of protection required to achieve compliance. Establishing PCI-DSS scope is a critical priority before applying segmentation.
Proper scoping provides security teams with the visibility and knowledge needed to locate and defend critical data. Scoping allows you to segment cardholder data from other parts of the network, boosting security and cutting costs.
There are three main categories to think about when carrying out a PCI-DSS assessment.
In-scope assets
Network resources that make direct contact with cardholder information. This includes payment systems, points of sale, credit card databases, communication tools, and even CRM systems. If an app or device holds credit card data, it is “in scope.”
Connected-to assets
These systems connect to in-scope assets but do not hold card data themselves. They may not require segmentation but must be tightly secured as part of the CDE.
Out-of-scope assets
Anything without access to the cardholder data environment is defined as “out of scope” and does not require the same level of protection.
The PCI-DSS regulations state that “even if the out-of-scope system component was compromised, it could not impact the security of the CDE.” This is a good way of approaching the scoping task.
If system components provide attackers with indirect access to cardholder data, it qualifies as in-scope. If not, you can relegate it to a lower priority level and concentrate resources where they matter most.
“Flat” networks where system components are connected to a single network switch are an important exception. In these cases, the entire network is categorized as in-scope.
In flat network settings, there is no such thing as an out-of-scope system. If an attacker gains access to any node on the network, they can potentially spread to systems handling credit data.
Why scoping matters to network segmentation
PCI-DSS scoping is a crucial first step in the segmentation process. You cannot create segments protecting cardholder data unless you know where that data resides.
Scoping maps data locations and flows. Compliance teams build a picture of how credit card data moves throughout the network, where it is stored, and who requires access. This provides a solid foundation for creating accurate and effective network segments.
Scoping also ensures that the segmentation process covers every asset. Security teams can start from the assumption that everything is in scope. They can then eliminate out-of-scope assets from the CDE and apply precise segmentation for cardholder data.
How to implement network segmentation for PCI DSS?
When carrying out a PCI-DSS assessment, it’s essential to keep one thing in mind: segmentation is not a substitute for comprehensive cybersecurity controls and policies. Network segmentation is part of a wider toolkit, not a solution to your compliance worries.
Having said that, PCI-DSS best practices advise that companies segment the cardholder data environment from other network systems. So how should you approach this task?
Network segmentation applies specific security controls to create sub-networks containing critical cardholder data. There are various ways of achieving this, including:
Firewall barriers between the rest of the network and cardholder data
Firewalls regulate network traffic across the CDE perimeter, preventing unauthorized access requests.
Data loss prevention (DLP) solutions
DLP tracks the movement of critical data, and works in tandem with firewall protection. Users cannot move or copy protected data without authorization. Security controls automatically block any unauthorized transfers.
Physical access controls for in-scope devices
Some workplaces may impose physical identity checks between CDE-connected devices and other offices or workstations.
Air gaps
Physical air gaps can also divide cardholder data from other network assets. Companies may choose to use two separate systems for payment processing and general operations.
Identity and access management (IAM) systems and multi-factor authentication (MFA)
Authentication systems require multiple credentials for any login. Secure network zones can require extra credentials before granting access.
Zero Trust controls on user privileges
Network managers should keep the number of users with administrative privileges as low as possible. Cardholder data environment access should only be available for users with appropriate permissions. All user access is seen as illegitimate until proven otherwise.
Continuous activity monitoring
Security teams can automate monitoring to track suspicious behavior. Tracking systems raise alerts when out-of-scope assets request access to a network segment within the CDE.
When you decide how to apply segmentation, the core challenge is determining which assets are in-scope and what lies out-of-scope.
Security teams must interview employees throughout the organization to understand how they use data. Employees can provide invaluable information about where cardholder data resides – knowledge that may not be immediately obvious.
The next step in PCI-DSS compliance is ensuring that network segmentation covers every part of the CDE. Elements to consider include:
Applications handling cardholder data. This could cover web apps and locally hosted databases.
Authentication servers and internal firewalls that connect with or defend the CDE. Protecting sensitive authentication data is a critical priority.
Security services that ensure data security and guard cardholder data. This includes intrusion detection systems, malware scanners, and anti-virus tools.
Log storage servers and backups. Any audit logs must be properly secured, including connections between active payment databases and historical logs.
Virtual machines, apps, hypervisors, or virtual routers that store or process cardholder data.
Network infrastructure such as routers, switches, hardware firewalls, and any other equipment that connects to the CDE.
Network servers handling cardholder data flows from sites of payment and within the corporate network. This may include web, mail, proxy, and DNS servers.
Third parties. Any third-party applications or users with access to payment or cardholder data storage systems lie within the CDE.
The critical task when applying PCI-DSS controls is mapping connections. Any endpoint or application that can access cardholder data needs to be secured.
It isn’t always easy to discover connections between system components. But a comprehensive planning process will generate enough information to keep your data breach risk low.
How can NordLayer solutions help?
Network segmentation is a critical part of PCI-DSS compliance. It allows organizations to separate the cardholder data environment from other system components. Attackers seeking access via remote devices or insecure endpoints will find it much harder to extract cardholder data.
NordLayer can help you build a security setup that meets PCI-DSS requirements. Our PCI-DSS compliance solutions make it easy to segment networks to protect cardholder environments. With Nordlayer, you can:
Create groups of network users and assign different network access privileges to each group.
Create Virtual Private Gateways for specific groups, resources, or websites.
Use IP allowlisting with Dedicated IP addresses to allow authorized users and block others.
In the near future, we will also offer Cloud firewall functionality. This will simplify segmenting cloud-based credit processing environments with granular and flexible access controls.
However, network segmentation is not a single solution. Companies must couple PCI-DSS network segmentation with other security tools to be compliant. Nordlayer can help here as well. In addition to segmentation, our tools can help you:
Install secure remote access solutions to transmit cardholder data safely.
Set user permissions to block unauthorized access to every network segment.
Employ quantum-safe cryptography in tunnel encryption to hide your traffic and online activity from users on the open internet.
Put in place multi-factor authentication for users accessing cardholder data. Ensure only trusted users can handle customer information and keep data breach risks low.
Make PCI-DSS compliance manageable by partnering with an experienced security provider. Get in touch with the NordLayer team to explore smart data security solutions that make damaging data breaches much less likely.
