Network isolation as a PCI Data Security Standard compliance strategy

While they may be appropriate for protecting credit card information, the PCI Data Security Standard requirements are probably too rigorous and costly to be applicable to the bulk of the data your enterprise handles on a daily basis. For example, consider the case of a large college or university network that grants broad public access to large portions of the network. In all likelihood, only a miniscule fraction of the thousands of systems on the network may be involved in card-processing activities, hence it would simply be impractical to implement all 12 PCI Data Security Standard requirements across the entire network.

Early versions of the standard seemed to require exactly that -- the broad implementation of these controls throughout the enterprise. With the release of PCI DSS version 1.1, the PCI Security Standards Council issued a clarification on this matter:

"The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment."

These two sentences came as a great relief for organizations that handle payment card...

[IMAGE]

A number of merchants are choosing to comply with the PCI Data Security Standard through a network isolation strategy. Their goal is to implement a completely isolated "network within a network" that houses all systems involved in payment card processing. The only connection to the enterprise network is on the outside interface of a firewall, as shown in the illustration above.

This link is as rigidly protected as one would protect the organization's connection to the Internet. Therefore, the card-processing network treats the rest of the enterprise network as nothing more than an ISP. Any transmission of cardholder data or administrative control that crosses the enterprise network must be encrypted, just as it would be across the Internet.

The challenge with a conservative approach such as this lies in providing routine services such as DNS/directory services, time synchronization, intrusion detection, backup and file integrity monitoring to systems within the cardholder data environment. The "ISP model" requires that dedicated systems provide these services to the environment, while still complying with the "one primary function per server" rule stated in section 2.2.1 of PCI DSS. These costs can mount quickly though, considering all of the ancillary services necessary to support a stand-alone network.

In addition to minimizing the scope of the systems in your cardholder data environment, the ISP model also may allow you to completely eliminate sections of the PCI Data Security Standard from your compliance program. For example, many organizations may have no need for wireless networking within the cardholder environment. If you simply don't connect your existing wireless network to the isolated card processing network, you may be able to avoid the burdens of PCI DSS sections 1.3.8, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.

The decision whether to implement this approach depends upon your organizational risk tolerance. If you have a large network or other compliance challenges, the costs of implementing an isolated stand-alone network may pale in comparison to bringing your entire network into PCI Data Security Standard compliance. Yet it does provide the peace of mind inherent in knowing that payment card data is firmly isolated, minimizing the risk of seeing your organization's name in the news headlines as the next high-profile security breach.

About the author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   Network Security: Tools, Products, Software,   Network Device Management,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? PCI Data Security Standard PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Network Device Management How to prepare for a secure network hardware upgrade Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? The requirements for being a PCI DSS-compliant service provider RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.