I'm writing a standard for my company that addresses network segmentation and qualifies as PCI DSS compliant. I...
need qualified resources that reference on this topic; there are plenty of comments and talk on this subject but not much documented practice. Can you point me in the right direction for solid guidance on enterprise network segmentation?
PCI network segmentation is a common approach to reducing the scope (and therefore the complexity) of card-processing networks. It follows the commonly used strategy of minimization: Store as little sensitive data in as few locations as possible and allow access to those who absolutely need it.
When it comes to PCI DSS compliance, organizations commonly use network segmentation to wall off payment systems' credit card processing from the rest of their network, therefore placing the rest of that network outside the scope of the assessment. For example, consider a retail store that has a point-of-sale (PoS) network that handles credit card systems, as well as a back-office network consisting of 20 productivity workstations. The store can limit the scope of an assessment for PCI by using a firewall to place the card-processing systems on a network that is completely isolated from the productivity workstations.
In this case, where a firewall is separating two networks with different switch fabrics, you've clearly achieved isolation. Other situations are a little more gray. For example, some assessors may consider the use of VLAN separation adequate for PCI DSS segmentation, but many (myself included) do not consider this adequate due to the fact that a single switch port misconfiguration could defeat the segmentation.
As far as documentation, page 5 of the PCI DSS Requirements and Security Assessment Procedures is the authoritative reference on the topic. Like most standards, it provides a high-level goal while still offering flexibility in implementation.The relevant section reads: "At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may be implemented."
- Read more about network segmentation and PCI compliance.
- Is your company using a QSA to write up a PCI report on compliance? Learn more about the process.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.