When it comes to compliance testing in the payment card industry, everyone understands the importance of keeping data security standards up to snuff. Yet the organizations trying to navigate and comply with the Payment Card Industry (PCI) standards face a fresh hurdle starting this month.
Where segmentation is used, any PCI provider must now test segmentation controls at least every six months and after any changes are made to segmentation controls or methods. This is per the PCI Data Security Standard (requirement 18.104.22.168, to be precise!).
Previously, segmentation testing was a best practice in addition to annual penetration testing, but as of January 31, 2018, it becomes a requirement. The testing is to verify all controls and methods are operational and effectively isolate all out-of-scope systems from systems in the cardholder data environment (CDE).
More than 898 million records with sensitive information were breached between January 2005 and April 2016 — PrivacyRights
First, let's talk about network segmentation, which is also known as "isolation." This practice isolates system components that store, process or transmit cardholder data from systems that do not.
Segmentation helps organizations meet the "need to simplify and minimize the footprint of cardholder data," according to PCI SSC Chief Technology Officer Troy Leach. "It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS."
Network segmentation, the PCI notes, not only reduces the scope of PCI DSS assessment but can cut assessment costs and the difficulty of implementing and maintaining PCI DSS controls — all while reducing risk to the organization by "consolidating cardholder data into fewer, more controlled locations."
Penetration testing is a comprehensive testing required annually. PCI penetration testing reveals real-world opportunities hackers might use to compromise POS devices, payment software, firewalls, and more.
Segmentation testing is less extensive. Focused solely on segmentation controls, these tests evaluate connectivity between in-scope and out-of-scope networks.
Segmentation testing should demonstrate that connections attempted from out-of-scope networks and systems are denied. Connectivity can occur via many technologies including:
Any failures to properly segment should be quickly remediated and appropriately retested, with documentation indicating the remediation for high risk/exploitable vulnerabilities has been carried out.
The segmentation testing requirement only applies to service providers. Merchants only need to worry about segmentation controls/methods when understanding compliance of their third-party service providers. Merchants will want to ensure they have an Attestation of Compliance (AOC) and responsibility matrix from these providers.
The six-month window until the next segmentation test starts when the initial testing is conducted, not after remediation efforts have concluded.
PCI DSS compliance requires scoping all system components to:
Ultimately, no system — whether it is segmented or not — should be left unprotected. PCI guidance notes that attackers often target systems deemed by the entity to be out-of-scope for PCI DSS, then leverage those systems to gain access to more systems, which eventually provide a path to the systems where CHD can be found.
Need help with system scoping, penetration testing, or segmentation testing? RedTeam Security's industry experts offer compliance assistance recognizing that effective scoping and segmentation requires careful planning, design, implementation, and monitoring. Our high-touch team will focus on the security of your entire environment to not only help you reach PCI DSS compliance but minimize organizational risk overall.