Best Practices to Minimise PCI DSS Exposure

“How can we reduce the scope of PCI DSS Scope?” is a questions I get in most of the consulting / auditing engagements. Some of them were looking for network segmentation and others were looking for segmentation in the software components.

Here are some thoughts on segmentation as a method to reduce the PCI DSS Scope

Network Segmentation

Network Segmentation for PCI Scope reduction can be achieved if the PCI assets or the Cardholder Data Environment (CDE) are physically or logically segregated from non-PCI assets.

To segregate physically, one can build separate isolated networks which ensures that there is no logical connection between the CDE and non-CDE environments. However, this may not be a practical solution for large organizations. This leads to the implementation of Logical Network Segmentation to address the PCI scope reduction.

The existing network can be segregated using firewalls and virtual LANs (VLAN). Mere creation of a VLAN is not enough segmentation for scope reduction. Instead, you will have to use access controls lists (ACLs) to ensure the access restrictions between the CDE and non-CDE systems

For example, if you have 2 VLANs, one for CDE and another for non-CDE systems, then the following are expected

  • An access list with limited access between these two VLANs
  • No access to the cardholder data from the non-CDE to the CDE
  • No “allow all” or “permit any any” between the VLANs. (Yes, you cannot have all the 65535 ports open from non-CDE to CDE systems. If so, we see it as a cable.)
  • Allow only the required network ports between the networks. Document the business justification for keeping these ports open. Monitor the access to these ports.

I have read somewhere that an acceptable segmentation should have three type of controls; which are  preventative, detective and corrective controls.

  • Preventive controls are the VLAN segmentation, firewall rules, ACLs etc and periodic review of the ACLs / Firewall Logs.
  • Detective controls are the monitoring part of the implementation. Monitor the traffic between the CDE and non-CDE. Review the firewall logs, VLAN access logs etc.
  • Corrective controls are the actions to be performed as result of the , in most cases, preventive and detective controls.

Let us take an example.

VLAN1 (192.168.0.0/24) is the CDE with 5 applications and DBs. VLAN2 (192.168.1.0/24) is the non-CDE network.

Sample Preventive controls

Allow 192.168.1.2 > 192.168.0.2 port 443

Deny any any

Quarterly / half yearly firewall rule base review is another preventive control you need to practice to have an effective ACL / rule base

Sample Detective Controls

Review of the Firewall Logs and ACL logs daily either real time or post fact

Integrating the logs with a SIEM solution for recording

Sample Corrective Controls

Based on the periodic firewall rule base review and daily log reviews, make changes to the preventive and detective controls

Once you decide on the controls to be implemented, then the next important step is to document the controls and how it is implemented to segment the CDE from rest of the network. Two key components of the documentation are (1) Management Approval for the open ports (2) Risk Assessment about the open ports.

Hope this gives you a fair understanding about network segmentation as a method to reduce the PCI Scope.