All companies that store, process, or transmit credit cardholder data (CHD) are required to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). However, there is often confusion as to what exactly is necessary to meet the standard. One area of confusion is what exactly constitutes a risk assessment (Requirement 12.1.2). The PCI Council formed a Special Interest Group (SIG) focused on clarifying that issue. They state that approved risk assessments must follow generally accepted frameworks: NIST, ISO 27005, or OCTAVE. The SIG also concluded that risk assessments:
- Must be simple to understand and perform
- Must be validated through testing
- Must contain measures for continuous improvement
- Must be clear
Interestingly, nowhere in the recommendations does it call for a repeatable process, something that QSAs are always looking for. Also, there is still a little confusion as to whether the risk assessment can be contained to the PCI environment or if it must include the full corporate environment. SecureState recommends that you stay ahead of the trend, and build a repeatable risk framework, not specifically for PCI, but one that works for your entire organization.
Network Segmentation is the process of separating networks containing sensitive information from those that do not. There is a common misconception that segmentation is mostly a technology related problem. Here are three things you must understand about network segmentation:
- Network segmentation is really business process. Changing the business process and the way you use information will by nature begin to segment the data.
- Know your data and where it is located. This is a critical component whether you are segmenting for PCI, HIPAA, PHI, or PII.
- In order to properly understand segmentation, you have to understand how your data flows in and out of the network. Data flow diagrams are an excellent start for this process.
Segmentation, although not a requirement of PCI DSS, does make it significantly easier to become PCI compliant, as it helps to reduce overall scope. Flat networks essentially bring all systems in scope for PCI DSS compliance. For example, many companies take credit cards over the phone. Placing call systems that process, transmit, or store cardholder data, or systems that support these into single or multiple network segments reduces overall scope and makes managing CHD easier.