1 / 14

PCI DSS Scoping and Segmentation - VistaInfoSec

The document helps to understand how segmentation can help reduce the number of systems that require PCI DSS controls. let us understand what PCI DSS Scoping & Segmentation means.<br><br>Read the full article here:- https://www.vistainfosec.com/blog/pci-dss-scoping-and-segmentation/

vistainfosec
Download Presentation

PCI DSS Scoping and Segmentation - VistaInfoSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI DSS ScoPING & SEGMENTATION Date:- 23.06.2020

  2. Introduction to PCI DSS ► Organizations are struggling to understand the application of PCI DSS controls and identify systems that need to be secured. ► The presentation details the ins and outs of PCI DSS Security Standards and Compliance for particular businesses ► The presentation will work as a guide for organizations to identify systems that need to be included “in-scope” for PCI DSS ► It will also assist to understand how segmentation can help reduce the number of systems that require PCI DSS controls

  3. WHAT IS PCI DSS ►The Payment Card Industry Data Security Standard (PCI DSS) is a Security Standard formed in the year 2004 by 5 major credit card companies namely; - Visa - MasterCard - Discover - JCB - American Express. ►Governed by the Payment Card Industry Security Standard Council (PCI SSC), the policy intends to optimize and secure credit, debit and cash card transactions. ►The Security Standard helps protect cardholders against data fraud, data theft and misuse of personal information.

  4. WHO NEEDS TO BE PCI DSS COMPLIANT? ►PCI DSS applies to all entities who are involved in the card payment process including merchants, processors, issuers and service providers. ►It is also applicable to all entities who store, process, or transmit cardholder data and/or sensitive authentication data. ►PCI-DSS Compliance requires defining scope and identifying systems that fall “in scope” for compliance. ►It is important to note that Scope cannot be defined based on business priorities and budget. ►Given below are systems to which PCI DSS Security requirement may be applicable. ►System Components ►Systems within the Network ►Third Party systems ►Every PCI DSS security requirements/control apply to people, processes, and technologies that interact with or impact the security of CHD directly or indirectly.

  5. OBJECTIVES OF PCI DSS COMPLIANCE Maintain  Vulnerability Management Program Maintain an Information Security Policy PCI DSS Compliance Regularly Monitor and Test Networks Protect Cardholder Data Implement Strong Access Control Measures Build and Maintain a Secure Network

  6. Understanding PCI DSS Scoping & Segmentation ►The PCI Security Standards Council (SCC) in the year 2016 December released a supplemental guide for scoping and network segmentation. ►The purpose of this guide was to help organizations determine systems “in scope” for PCI DSS and understand how segmentation can reduce the number of in-scope systems. ►The objective is to help organizations protect their data from potential risks/threats, which involve targeting system with fewer security controls and get access to sensitive card holder data for a possible higher security systems.

  7. PCI DSS SCOPING ►The components that define Scope are:- ►Storage ►Processing ►Transmitting ►Systems/services/vendors that can impact the security of the Cardholder Data Environment (CDE) or the Card Holder Data (CHD). The PCI Security Standards Council (PCI SSC) defines “scope” as that part of your environment which must meet the control objectives stated in the PCI Data Security Standard (DSS) Any system that stores processes, or transmits payment card details fall within the scope for PCI Compliance.

  8. PCI DSS Scope Categories PCI DSS SCOPE CATEGORIES CONNECTED-TO-SYSTEM IN SCOPE OUT-OF-SCOPE IN-SCOPE Systems that do not store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD). Systems that do not fall in the same network segment as systems that store, process, or transmit CHD or SAD. Systems that do not have direct and indirect access to any system in the CDE. Systems that do not directly or indirectly impact security control of CDE. Systems that do not meet or fall in the criteria described as connected-to or security- impacting systems. Systems that are directly involved, connected or impact the security of the cardholder. Systems storing, process or transmitting Cardholder Data (CHD) and Sensitive Authentication Data (SAD). Systems that do not store, process, or transmit Cardholder Data, but fall in the same or adjacent network.. Systems that directly or indirectly connect or have access to the CDE ( For example a system connected via a jump server. System that impacts the configuration or security of the CDE (For example a server providing name resolution (DNS) for the CDE). Systems that provide security services to the CDE (For example identification & authentication server like an Active Directory). Systems that support PCI DSS requirements or provide segmentation of the CDE from out-of-scope systems.

  9. Network Segmentation ►Network Segmentation means dividing a network into smaller sections for better control over the flow of traffic across network and restrict confidential data to a specific network segment. ►The process helps segregate systems and network that stores/processes/transmits cardholder data from rest of the computing processes/information. ►Network Segmentation is not a mandate but a recommended strategy under PCI DSS. ►PCI DSS Network Segmentation is one method an organization can use to scope system controls for PCI Compliance. ►Segmentation helps organization implement necessary controls on the network or system for security purposes.

  10. How does Network Segmentation affect PCI Scope? ►As per PCI DSS, for the system to be considered “out-of-scope” for PCI DSS, the system component in question must be systematically and accurately segmented from the Cardholder Data Environment (CDE). ►The network segmentation should be done in a way that even if the “out-of-scope” system component is compromised; it will not impact the security of the CDE. ►Network segmentation helps reduce “systems in scope”, and thereby; -Reduces the overall Compliance cost. -Complexity of PCI DSS Compliance process. -Limit the risk of handling highly sensitive data in your environment. -Repercussions of Breach/Data theft/Data misuse.

  11. Why is Network Segmentation essential? Ensures company only store sensitive cardholder data in specific locations and limit access to only individuals who need it Reduces the scope and complexity of card-processing networks and Data Management Process Reduce costs associated with your PCI Assessment BENEFITS OF NETWORK SEGMENTATION Prevent “out-of-scope” systems from overlapping with systems in the Cardholder Data Environment Improves Data security and Reduces the possibility of data breach Helps to ease in spotting anomalies within each distinct network

  12. Conclusion ►When it comes to scoping for PCI DSS, the best approach is to assume that everything is in scope until verified. ►Determining that a system is “out-of-scope” does not imply that the system is secure and needs no protection. ►A system that does not fall “in-scope” for PCI DSS may still pose a threat to the CDE and to the entire organization. ►Payment card data details are one set of confidential data that needs to be secured. However, companies also have a legal responsibility to protect and secure other personal data of their clients as well. ►As a comprehensive measure for securing all confidential data, PCI DSS is an appropriate measure to secure not just the data of payment cardholder, but also other sensitive and confidential data in an organization’s network/system. ►Implementing best security control practice will help organizations protect their infrastructure, and other system components that are deemed to be “out-of-scope” as per PCI DSS requirements

  13. Thank YOU Website : https://www.vistainfosec.com/ Email : info@vistainfosec.com Social: Get In Touch

More Related