Network isolation as a PCI Data Security Standard compliance strategy

While they may be appropriate for protecting credit card information, the PCI Data Security Standard requirements are probably too rigorous and costly to be applicable to the bulk of the data your enterprise handles on a daily basis. For example, consider the case of a large college or university network that grants broad public access to large portions of the network. In all likelihood, only a miniscule fraction of the thousands of systems on the network may be involved in card-processing activities, hence it would simply be impractical to implement all 12 PCI Data Security Standard requirements across the entire network.

For more information on PCI compliance Seana Pitt, chairperson of the PCI Security Standards Council, tells our Bill Brenner where TJX went wrong. Joel Dubin reviews the "dirty dozen" mandates of the PCI Standard. Roger Nebel demystifies PCI encryption requirements.

Early versions of the standard seemed to require exactly that -- the broad implementation of these controls throughout the enterprise. With the release of PCI DSS version 1.1, the PCI Security Standards Council issued a clarification on this matter:

"The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment."

These two sentences came as a great relief for organizations that handle payment card information as a small part of their business. At the same time, it raises more questions for those seeking to implement an isolation strategy. What constitutes "adequate network segmentation?"

A number of merchants are choosing to comply with the PCI Data Security Standard through a network isolation strategy. Their goal is to implement a completely isolated "network within a network" that houses all systems involved in payment card processing. The only connection to the enterprise network is on the outside interface of a firewall, as shown in the illustration above.

This link is as rigidly protected as one would protect the organization's connection to the Internet. Therefore, the card-processing network treats the rest of the enterprise network as nothing more than an ISP. Any transmission of cardholder data or administrative control that crosses the enterprise network must be encrypted, just as it would be across the Internet.

The challenge with a conservative approach such as this lies in providing routine services such as DNS/directory services, time synchronization, intrusion detection, backup and file integrity monitoring to systems within the cardholder data environment. The "ISP model" requires that dedicated systems provide these services to the environment, while still complying with the "one primary function per server" rule stated in section 2.2.1 of PCI DSS. These costs can mount quickly though, considering all of the ancillary services necessary to support a stand-alone network.

In addition to minimizing the scope of the systems in your cardholder data environment, the ISP model also may allow you to completely eliminate sections of the PCI Data Security Standard from your compliance program. For example, many organizations may have no need for wireless networking within the cardholder environment. If you simply don't connect your existing wireless network to the isolated card processing network, you may be able to avoid the burdens of PCI DSS sections 1.3.8, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.

The decision whether to implement this approach depends upon your organizational risk tolerance. If you have a large network or other compliance challenges, the costs of implementing an isolated stand-alone network may pale in comparison to bringing your entire network into PCI Data Security Standard compliance. Yet it does provide the peace of mind inherent in knowing that payment card data is firmly isolated, minimizing the risk of seeing your organization's name in the news headlines as the next high-profile security breach.

About the author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor PCI version 1.2 clarifications: How to get an early start on compliance audits Version 1.2 of Payment Card Industry (PCI) Data Security Standard answers questions, raises others Security certifications: Are they worth the trouble? How to look past information security vendor rhetoric Compliance recycling: Combining compliance efforts to manage PCI DSS Web 2.0 and e-discovery: Risks and countermeasures Learn from NIST: Best practices in security program management Best practices for application-level firewall selection and deployment The 'security standards dilemma': Network segmentation and PCI Compliance Penetration testing: Helping your compliance efforts PCI Data Security Standard PCI version 1.2 clarifications: How to get an early start on compliance audits Version 1.2 of Payment Card Industry (PCI) Data Security Standard answers questions, raises others Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes PCI DSS 1.2 clarifies wireless, antivirus use Compliance recycling: Combining compliance efforts to manage PCI DSS PCI Requirement 6.6 has merchants gearing up PCI compliance extends to car washes, quick lubes Network Device Management Researchers develop lightweight Cisco IOS rootkit Vendors rally to repair dangerous DNS flaw Cisco warns of UCM flaws Embedding security has drawbacks says TippingPoint chief architect The 'security standards dilemma': Network segmentation and PCI Compliance Which is a more secure data access technology: SPAN or TAP? Product review: Tufin's Tufin SecureTrack 4.1 Product review: BreakingPoint Systems' BPS-1000 Cisco plugs serious UCM flaw What is a 'top-down' IPS sensor search? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.