Guidance Clarifies Scoping Principles Outlined in the PCI Data Security Standard \u2014
\nWAKEFIELD, Mass., 9 December 2016 \u2014 Incorrectly identifying where and how payment data is at risk in an organization\u2019s systems continues to lead to data breaches. Today, the PCI Security Standards Council (PCI SSC) published Guidance for PCI DSS Scoping and Network Segmentation to help businesses address this challenge.<\/p>\n
PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.<\/p>\n
\n\u201cFor years, we have preached the need to simplify and minimize the footprint of cardholder data,\u201d said PCI SSC Chief Technology Officer Troy Leach. \u201cOne way to accomplish this is through good segmentation. It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS.\u201d<\/p><\/blockquote>\n
While segmentation is not a PCI DSS requirement, it is a strongly recommended practice. Segmentation of networks included in or connected to the cardholder data environment is important for organizations as it can limit the exposure of payment data in a system, simplify PCI DSS compliance efforts and reduce the chance of being targeted by a criminal. However, as improper segmentation can put cardholder data at risk, it\u2019s critical that organizations understand and implement segmentation properly.<\/p>\n
The guidance was developed with industry input and collaboration in order to address common questions from PCI SSC stakeholders on scoping and segmentation. Christian Janoff, PCI SSC Board of Advisor member and Security Solutions Architect for Cisco, works regularly with merchants using scoping and segmentation products and was a leading contributor to the guidance. \u201cKnowing the scope of your cardholder data environment and properly segmenting to protect it has been a challenge for many organizations. By providing guidance, we hope this will help to simplify the process, making it easier to secure payment card data,\u201d he said. \u201cWe at Cisco are proud to partner with the Council and industry peers to bring additional scoping and segmentation guidance to the industry.\u201d<\/p>\n
Guidance for PCI DSS Scoping and Network Segmentation is intended for organizations looking to understand scoping and segmentation principles when applying PCI DSS to their environments. It also provides a method for facilitating effective scoping discussions between entities and is useful for:<\/p>\n
\n
- \u2022 Merchants, acquirers, issuers, service providers (issuer processors, token service providers, and others) responsible for meeting PCI DSS requirements for their enterprises;
\n\u2022 Assessors responsible for performing PCI DSS assessments;
\n\u2022 Acquirers evaluating merchants\u2019 or service providers\u2019 PCI DSS compliance documentation;
\n\u2022 PCI Forensic Investigators (PFI) responsible for determining PCI DSS scope as part of an investigation.<\/li>\n<\/ul>\nIt is important to note each organization is responsible for making its own scoping decisions and that following this guidance does not guarantee that effective segmentation has been implemented, nor does it guarantee compliance with PCI DSS. The guidance is available on the PCI SSC website. Chief Technology Officer Troy Leach provides additional insights on the topic on the PCI Perspectives blog.<\/p>\n
About the PCI Security Standards Council<\/strong>
\nThe PCI Security Standards Council is a global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.<\/p>\n","protected":false},"excerpt":{"rendered":"Guidance Clarifies Scoping Principles Outlined in the PCI Data Security Standard \u2014 WAKEFIELD, Mass., 9 December 2016 \u2014 Incorrectly identifying where and how payment data is at risk in an organization\u2019s systems continues to lead to data breaches. Today, the … Continue reading