Skip to main content
Amping Up PCI Service Provider Compliance

When it comes to compliance testing in the payment card industry, everyone understands the importance of keeping data security standards up to snuff. Yet the organizations trying to navigate and comply with the Payment Card Industry (PCI) standards face a fresh hurdle starting this month.

Where segmentation is used, any PCI provider must now test segmentation controls at least every six months and after any changes are made to segmentation controls or methods. This is per the PCI Data Security Standard (requirement 11.3.4.1, to be precise!).

Previously, segmentation testing was a best practice in addition to annual penetration testing, but as of January 31, 2018, it becomes a requirement. The testing is to verify all controls and methods are operational and effectively isolate all out-of-scope systems from systems in the cardholder data environment (CDE).

More than 898 million records with sensitive information were breached between January 2005 and April 2016 — PrivacyRights

What Is Segmentation?

First, let's talk about network segmentation, which is also known as "isolation." This practice isolates system components that store, process or transmit cardholder data from systems that do not.

Segmentation helps organizations meet the "need to simplify and minimize the footprint of cardholder data," according to PCI SSC Chief Technology Officer Troy Leach. "It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS."

Learn more about PCI DSS here.

Network segmentation, the PCI notes, not only reduces the scope of PCI DSS assessment but can cut assessment costs and the difficulty of implementing and maintaining PCI DSS controls — all while reducing risk to the organization by "consolidating cardholder data into fewer, more controlled locations."

PCI-segmentation

Penetration testing is a comprehensive testing required annually. PCI penetration testing reveals real-world opportunities hackers might use to compromise POS devices, payment software, firewalls, and more.

Segmentation testing is less extensive. Focused solely on segmentation controls, these tests evaluate connectivity between in-scope and out-of-scope networks.

Segmentation testing should demonstrate that connections attempted from out-of-scope networks and systems are denied. Connectivity can occur via many technologies including:

  • Traditional network (e.g. Ethernet or power-line)
  • System-to-system connection (e.g. USB or component)
  • Wireless connectivity (e.g. Bluetooth, wireless LANs, or GPRS)
  • Virtualized networks, machines, devices, switches, etc.

Any failures to properly segment should be quickly remediated and appropriately retested, with documentation indicating the remediation for high risk/exploitable vulnerabilities has been carried out.

Things To Know About The Changes

The segmentation testing requirement only applies to service providers. Merchants only need to worry about segmentation controls/methods when understanding compliance of their third-party service providers. Merchants will want to ensure they have an Attestation of Compliance (AOC) and responsibility matrix from these providers.

The six-month window until the next segmentation test starts when the initial testing is conducted, not after remediation efforts have concluded.

PCI DSS compliance requires scoping all system components to:

  • Identify how and where the organization receives cardholder data (CHD)
  • Locate and document where account data is stored, processed, and transmitted
  • Identify all other system components, processes, and personnel in scope
  • Implement controls to minimize scope to necessary components, processes, and personnel
  • Maintain and monitor processes to ensure continued compliance.

Ultimately, no system — whether it is segmented or not — should be left unprotected. PCI guidance notes that attackers often target systems deemed by the entity to be out-of-scope for PCI DSS, then leverage those systems to gain access to more systems, which eventually provide a path to the systems where CHD can be found.

Need help with system scoping, penetration testing, or segmentation testing? RedTeam Security's industry experts offer compliance assistance recognizing that effective scoping and segmentation requires careful planning, design, implementation, and monitoring. Our high-touch team will focus on the security of your entire environment to not only help you reach PCI DSS compliance but minimize organizational risk overall.

Get a FREE security evaluation today and reduce your organization's security risk.
Schedule My Call Schedule My Call

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at 612-234-7848 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.