What is PCI Network Segmentation?
PCI network segmentation is a method of dividing a network into smaller segments or subnets so that communication between them is restricted or blocked. Segmentation is a vital security practise for any merchant looking to protect cardholder data and narrow the scope of PCI.
Reducing PCI complexity with network segmentation will save time, money, and effort.
If network segmentation is done correctly, it provides controls that limit or prevent connectivity from one subnet to another. If network segmentation is implemented improperly or is not adequately implemented, attackers can access the cardholder data environment (CDE) from a less secure area.
PCI Network Segmentation is a general method of reducing risk in a network environment by limiting access from less secure networks to highly secure networks such as Cardholder Data Environment (CDE).
How to isolate the PCI network and increase CDE security?
There are three main types of segmentation commonly used today:
- Firewall rules
- Route restrictions
- Air gap (physically independent infrastructure)
The most common form of networking is firewall rules.
Why is network segmentation used?
Note that although PCI DSS does not require network segmentation, it is a recommended technique for reducing PCI coverage and securing data.
By isolating less secure networks from high-security networks, organizations can ensure that other highly secure networks will not be affected by a breach in the less secure network.
PCI Network Segmentation can reduce the time and cost associated with PCI compliance as well as reducing risk. Requirements outlined in PCI DSS do not cover less secure networks that result from isolating less secure networks from CDE.
Scoping and Segmentation for PCI DSS
Before starting the PCI DSS scope and segmentation study, it is necessary to determine which systems will be covered and which systems will be out of scope. For this, systems within the scope, systems that connected to the scope, and systems out of the scope can be expressed as follows:
- Systems within the scope of PCI: Systems directly involved, connected or affecting cardholder data security
- Systems that depend on PCI scope: systems that are connected to the Cardholder Data Environment (CDE) or are indirectly involved in the processing of card data
- Systems outside the scope of PCI: systems that do not have or affect CDE access
At this point, it is also critical to include components that depend on PCI scope and not to forget. Overlooking these systems can cause enormous risks and effects. Often overlooked and improperly implemented, network sublimations of these systems contribute to CDE violations and theft of cardholder data.
To accurately determine the PCI scope, it is necessary to evaluate the CDE environment according to the rules outlined below, and this assessment will only be a starting point. These rules will encourage organizations not only to analyze the CDE objectively but also to determine the flow of cardholder data inside and outside the CDE.
The primary PCI scoping rules are as follows:
- Systems in the CDE are within the scope of the PCI.
- Systems connected to the CDE system are within the scope of the PCI.
- The PCI covers all systems in a flat network where a single system stores, processes, or transmits cardholder data.
PCI Network Segmentation and PCI Scope
PCI segmentation is known to be important for preventing breaches and attacks, but additionally, segmentation is very common among merchants seeking to reduce their PCI scope.
For PCI DSS, if the network or system components are in the cardholder data environment, connected directly to the CDE, or can affect the security of the CDE, those systems are considered to be within the scope of the PCI.
Non-segmented environments or flat networks combine card processing systems with back-office systems. In these environments, the entire network is subject to PCI DSS compliance. Such a network structure will significantly increase the work required to secure your corporate network.
While flat networks are inherently insecure, they are still used by many businesses because they are simple to understand and build. It should be noted that this attitude will result in security risks and increased PCI DSS scope.
How to Segment a PCI Network?
Merchants often set up flat networks so that they can easily connect to everything else on the network. There may be a firewall on the edge of their network, but doing just that is not enough.
Also, this is not a network segmentation, nor does it stop being a flat network. When an attacker enters the network, this makes it very difficult to protect, as they can reach anywhere on flat networks.
Firewalls can serve to segment an organization’s network. By creating a payment zone that is sheltered from the rest of regular business traffic, businesses can better enable the CDE to interact with only known and trusted sources. In this way, segmentation limits CDE size and potentially reduces PCI coverage.
Network segmentation is not required for compliance with PCI DSS 3.2.1. But it’s one of the best ways to minimize costs, energy, and time to adapt to covered systems.
Segmentation can be troublesome, especially for those without a technical security background. You may want to consider checking all your segmentation work by doing daily segmentation checks with a security expert.
According to PCI DSS, for a system component to be considered out of the scope of PCI DSS, it must be adequately parsed from the cardholder data environment (CDE). Thus, even if the out-of-scope system component is compromised, it does not affect the security of the CDE.
Partitioning your network can be quite tricky, depending on the complexity of your environment.
Here are the methods you can use to partition your media and make this process easier:
1. Assign a person or group to know and manage all card data streams
To reduce CDE coverage, you need to understand how your business works and how your organization’s card data flows. Keeping track of and managing your coverage is much easier if one person becomes the authority over all the places where card data is stored, transmitted, or processed.
2. Involve everyone.
Perhaps your employees know about random processes that contain data that no one else knows. Talk to process owners, those who have access to the data, web developers, and sales team to learn more about your card data environment.
For example, accounting departments have systems to balance accounts or return transactions that can capture credit card data, such as files on employees’ workstations, files stored on shared network file servers, or print media.
Customer service representatives can get credit card numbers over the phone or view all card numbers so that you can search for handwritten or printed card information at these points.
3. Create a data flow chart
Creating a data flow chart that helps you visually explain the location and flows of card data will be the easiest way to understand how data flows in your organization.
4. Use card data discovery tools
Card data could be placed on networks that may or may not be directly involved in point-of-sale transactions. Manually finding information in complex environments is nearly impossible. For this reason, you can discover overlooked card data and processes with card data discovery tools.
5. Decide how you want the network segmentation to be
Now that you know where your card data is and how it flows in your environment, you can take a look at your network diagram and decide what tools and rules to use to isolate information.
The most common way of segmentation is to implement a unique piece of hardware, also known as a firewall, that exists between network regions to limit network traffic. The most crucial part of implementing the firewall is configuring the Access Control List (ACL) to define what traffic can go through.
While it is generally recommended to use the firewall to segment local network regions, there are a few other options:
- Switches: The second most common method of partitioning is network switched hardware. Switches are also used internally behind a firewall to support segment network zones. In addition to firewall rules across regions, some switches may have their own set of separate access control lists. Switch ACLs can be used in segmentation, but are generally a little more challenging to manage than a standard firewall appliance.
- Air Gap: This form of segmentation occurs with two network connections provided by two utterly separate Internet providers. If one network is only connected to your transaction network, and the other is only connecting to the back office and other services, and these sections are not connected, the card media should be divided accordingly.
- Analog phone lines: The easiest and most precise way to partition a network is to process it over analog phone lines if you can do all credit card transactions offline.
6. Consider using a PCI P2PE solution
Another common and easy way to achieve segmentation is to use a Point-to-Point Encryption Technology (P2PE) solution. It virtually eliminates the need for segmentation as long as you use a PCI validated P2PE solution.
If you only use P2PE to process credit cards, the entire merchant network is out of scope. If the entire network goes out of PCI scope, it means there will be no vulnerability scanning, firewall, or monitoring requirements to comply with PCI DSS. The P2PE solution used is the only thing covered by PCI DSS.
7. Your PCI auditor should verify that your segmentation is sufficient to reduce scope.
Many companies feel that their environments are properly segmented. However, because of the large number of variables, a QSA must validate during your PCI audit.
What You Need to Know About PCI Penetration Test and PCI Segmentation Test
What is PCI segmentation control?
PCI segmentation check is a set of penetration tests used to verify that less secure networks cannot communicate with highly secure networks.
Basically, in these tests, the controls applied are checked to make sure that your company’s segmentation is working correctly and that there are no vulnerabilities.
Why should PCI segmentation be checked?
PCI DSS states that controls on segmentation should be tested and verified regularly, and segmentation control is included as a requirement within PCI DSS.
There are many factors why organizations fail in segmentation checks:
- Incorrectly configured firewalls
- The old rules are not removed.
- Addition of wrong access for third party management services
In the segmentation controls, the conditions mentioned above are generally checked, and it is confirmed that the segmentation is configured correctly. Also, one of the PCI DSS requirements is security rule analysis.
If you regularly perform firewall rule analysis, you can detect the above problems in advance.
How to check PCI segmentation?
The technique used in PCI segmentation control depends on the form of partitioning used to isolate less secure networks. Most merchants usually do segmentation with firewalls. There are three elements included in the test in segmentations using firewalls:
- ICMP scan
- TCP port scanning
- UDP port scanning
Scanning techniques are not required in cases where routing restrictions prevent any packets from being delivered to the intended segment. In these cases, it is necessary to provide evidence, such as trace paths, that packets are not routed to the correct firewall.
Besides, documentation is usually sufficient for systems with air gaps. Many QSAs will also request ICMP, TCP, and UDP port scans to verify that there is no extra internet connection between the two systems.
How often should a PCI segmentation check be performed?
PCI requests that segmentation tests be renewed after every significant change in a network environment. Besides, segmentation tests should be performed with the following frequency:
- Once a year for merchants.
- Every six months for merchant service providers
Who can do the PCI segmentation test?
An individual or organization that is institutionally independent of the design, maintenance, or management of the target environment can perform segmentation tests.
However, the person or institution that will perform the segmentation tests must prove their competence by documenting their experience and expertise.
PCI network segmentation takes time, commitment, and financial investment. It’s the best way to reduce your PCI coverage and one of the best ways to keep your company safe.
Network segmentation is an excellent way to reduce the cost and time to secure your company’s data. You need to regularly verify that you are correctly segregating and protecting the networks.
For detailed information, see the PCI SSC information appendix: PCI DSS Scoping and Network Segmentation Guide.