Tip

Network isolation as a PCI Data Security Standard compliance strategy

The Payment Card Industry (PCI) Data Security Standard requires that merchants and service providers who store, process or transmit credit and/or debit card data comply with a set of 12 requirements designed to

    Requires Free Membership to View

safeguard this highly sensitive information. Most security professionals agree that these requirements -- often referred to colloquially as the "dirty dozen" -- represent current information security best practices, and offer a reasonable set of controls for dealing with extremely sensitive data.

While they may be appropriate for protecting credit card information, the PCI Data Security Standard requirements are probably too rigorous and costly to be applicable to the bulk of the data your enterprise handles on a daily basis. For example, consider the case of a large college or university network that grants broad public access to large portions of the network. In all likelihood, only a miniscule fraction of the thousands of systems on the network may be involved in card-processing activities, hence it would simply be impractical to implement all 12 PCI Data Security Standard requirements across the entire network.

For more information on PCI compliance

Seana Pitt, chairperson of the PCI Security Standards Council, tells our Bill Brenner where TJX went wrong.

Joel Dubin reviews the "dirty dozen" mandates of the PCI Standard.

Roger Nebel demystifies PCI encryption requirements.
Early versions of the standard seemed to require exactly that -- the broad implementation of these controls throughout the enterprise. With the release of PCI DSS version 1.1, the PCI Security Standards Council issued a clarification on this matter:

"The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment."

These two sentences came as a great relief for organizations that handle payment card information as a small part of their business. At the same time, it raises more questions for those seeking to implement an isolation strategy. What constitutes "adequate network segmentation?"

A number of merchants are choosing to comply with the PCI Data Security Standard through a network isolation strategy. Their goal is to implement a completely isolated "network within a network" that houses all systems involved in payment card processing. The only connection to the enterprise network is on the outside interface of a firewall, as shown in the illustration above.

This link is as rigidly protected as one would protect the organization's connection to the Internet. Therefore, the card-processing network treats the rest of the enterprise network as nothing more than an ISP. Any transmission of cardholder data or administrative control that crosses the enterprise network must be encrypted, just as it would be across the Internet.

The challenge with a conservative approach such as this lies in providing routine services such as DNS/directory services, time synchronization, intrusion detection, backup and file integrity monitoring to systems within the cardholder data environment. The "ISP model" requires that dedicated systems provide these services to the environment, while still complying with the "one primary function per server" rule stated in section 2.2.1 of PCI DSS. These costs can mount quickly though, considering all of the ancillary services necessary to support a stand-alone network.

In addition to minimizing the scope of the systems in your cardholder data environment, the ISP model also may allow you to completely eliminate sections of the PCI Data Security Standard from your compliance program. For example, many organizations may have no need for wireless networking within the cardholder environment. If you simply don't connect your existing wireless network to the isolated card processing network, you may be able to avoid the burdens of PCI DSS sections 1.3.8, 2.1.1, 4.1.1, 9.1.3 and 10.5.4.

The decision whether to implement this approach depends upon your organizational risk tolerance. If you have a large network or other compliance challenges, the costs of implementing an isolated stand-alone network may pale in comparison to bringing your entire network into PCI Data Security Standard compliance. Yet it does provide the peace of mind inherent in knowing that payment card data is firmly isolated, minimizing the risk of seeing your organization's name in the news headlines as the next high-profile security breach.

About the author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.