PCI DSS New Guidance on Scoping and Network Segmentation

28. April 2017

by Viktor Ahrens and Dennis Yang.
“The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.” – PCI SSC

In December 2016, the PCI SSC (Payment Card Industry Security Standards Council) released a new Scoping Guidance to provide clarifications and support on network scoping and network segmentation. The guidance specifically offers assistance with defining different system types, scoping, and reducing common attack types which in the past have resulted in compromise of CHD (cardholder data).
Scoping is a difficult task that is a central part of all compliance efforts. It is therefore crucial to have a good understanding of one’s own scope. The guidance contains explanations on terminology you frequently encounter in this context: CDE Systems (Cardholder Data Environment), Connected-to and Security-Impacting Systems as well as Out-of-scope Systems, which we have summarised for you below.
CDE Systems are:
• all systems that store, process, or transmit CHD and
• all systems that are located in the same network segment.
Connected-to und Security-Impacting Systems are systems that:
• are located in other networks and are connected to or have access to the CDE
• are connected to or have access to the CDE via other systems (e.g., jump servers)
• have an impact on the configuration or the security of the CDE
• provide services for securing the CDE (e.g., firewalls)
• provide services for satisfying PCI DSS requirements (e.g., log servers)
• are used for segmenting the CDE from other networks (e.g., switches)
Out-of-scope Systems are systems that:
• do not store, process, or transmit CHD
• are not located in the same network as the CDE
• are not connected to or have access to systems of the CDE
• have access to neither the CDE nor other In-Scope Systems and do not have any impact on the security of the CDE
• do not meet any of the listed criteria for Connected-to and Security-Impacting Systems
According to the Guidance, a merchant or service provider is responsible for correctly identifying its respective PCI DSS scope itself. Professional support provided by a PCI auditor can be very helpful with this task. You should in any case keep the following guiding principle in mind:
Everything is in scope until proven otherwise.
It is therefore recommended that merchants and service providers verify their scope at least once every year (e.g., before a PCI DSS Audit) and retain records of all systems that store, process, or transmit CHD. You should additionally document how the scope was verified.
Network segmentation can be a potent tool for this purpose, even though it is not a specific requirement of the PCI DSS. If implemented correctly, it can reduce
• costs of the PCI DSS certification
• costs and effort required for implementing and maintaining PCI DSS controls
• risks of compromise.
Our experience shows that in many scenarios where network segmentation was lacking, compliance was a very elaborate and costly affair or could not be achieved at all.
The recommendation to validate and document the scope at least once every year is one of the most important pieces of information to be taken from the Guidance. In this context, you should place special focus on shared services and admin workstations, since the latter could fall into scope despite use of a jump host.
Should you have any further questions or require assistance with your scope definition, please contact us. Our specialists are happy to help.
+49 6102 8631-190
About the PCI Expert Tips:
With our PCI Expert Tips we would like to keep you informed about changes to the PCI Security Standards and provide you with first explanations as to what the changes entail and how they may affect you. Please take our articles always as a general reference – they do not replace individual case-by-case evaluations.

Also interesting: