Segmentation is not a requirement to meet PCI compliance. However, it is strongly recommended by the PCI Council as it can greatly reduce the cost, scope, and difficulty of meeting compliance. In this blog, we will explore these reasons a bit further and explain the importance of PCI segmentation.
What is Segmentation?
Segmentation, from a PCI perspective, is the process of isolating your systems that store, process, and/or transmit cardholder data from those that do not. For example, your marketing department does not need to access cash registers at a store, and therefore they should not be on the same network. This way, if someone in marketing clicks on a link they shouldn’t and an attacker gains access to that machine, they still are separated from the credit card data of your customers.
Segmentation can be completed in a myriad of ways. You can have physically isolated networks, and I have seen this work very well for customers in the past. However, if you do not want to run wires through your building again, you can logically separate networks using VLANS, Firewalls with stateful inspection, strong access control lists on routers and switches, or even a combination of all three. The main PCI requirement that segmentation helps address is that every connection into and out of your cardholder data environment (CDE) must be documented, and there must be a business justification. All other traffic must be explicitly denied. Here is our guide on how segmentation is evaluated.
Segmentation is not a PCI requirement, though. It is completely possible, albeit difficult, to meet PCI with a flat (aka, not segmented) network. However, lets switch gears and talk about the importance of PCI segmentation, and it will quickly become clear that it is nearly impossible for many organizations to be compliant without it.
The Importance of PCI Segmentation
In the PCI DSS, the PCI council says they strongly recommend segmentation because it can reduce the cost, scope, difficulty of meeting compliance and overall risk for an organization. Lets take a look at each of these, and how it may affect your organization.
Simply put, without segmentation everything is in scope. This means that even if you only accept credit cards at one store, your marketing department, HR department, etc. are all in scope. The same controls that apply to the point of sale (POS) terminal would apply to every machine in your environment. From a security perspective, you really want all of your devices to be secured, of course. However, there are certain controls that are not practical for your marketing department and can have a profound impact on your day-to-day business. Having more systems in scope contributes to cost, difficulty, and risk, and demonstrates the importance of PCI segmentation.
With more systems in scope it naturally follows that it is going to cost your organization more to reach compliance. First, from an assessment standpoint, PCI requires vulnerability scans, penetration testing, and, depending on your transaction levels, a full Report on Compliance (RoC). When you research the cost of an external or internal penetration test (which you can find here and here), you will find that the primary factor that impacts the cost of your assessment is the number of systems in scope. The same thing is true for a Level 1 audit that provides a RoC. The more sites the auditor has to visit and the more devices/systems that he or she has to review, the more it will cost to have the assessment performed.
Second, it will cost more to reach compliance. Having more systems in scope might require more firewalls, a more expensive license for a centralized logging solution, integrity monitoring on systems that otherwise might not need it, inventory management systems, etc. Going back to our example of the marketing department, we want them to be secure, but do we really need them to have file integrity monitoring on their workstations? Probably not, and that is just one example of how your overall cost of compliance can creep up.
In order to demonstrate the difficulty, I like to go back to an audit I performed a few years ago for a utility company. They did not have proper
segmentation in place, but were working to get to the point where we could consider their corporate network out of scope. One issue they had was a drive-up window where customers could come and pay their utility bill. This point of sale terminal was on the same subnet as the workstations that the receptionist and cashiers used for their daily work. The cashiers naturally needed to login to several accounting applications, check their email, go to the company SharePoint, etc. Additionally, they would occasionally check the news and browse social media. After several conversations with the IT guy, it came up that per PCI Requirement 1.2.1, because that subnet was considered in-scope all traffic to and from those computers needed to be restricted to only that which is deemed necessary and defined by a business justification, with all others explicitly denied. In addition to killing morale, it would be quite an undertaking for the IT department to go through and determine exactly what connections were necessary, update the firewall accordingly, and document all of it. Now amplify that times the 5 different offices this utility company had, each with a different set of required connections, and you can quickly see that this was a much larger undertaking than simply creating a new VLAN for that one machine accepting credit cards. Through this exercise, the importance of PCI segmentation became clear to our client, and they have now reduced their scope from hundreds of systems to less than 30.
The final concept that demonstrates the importance of PCI segmentation is risk. You have probably heard the term security in layers or defense in depth, but in case you haven’t, the basic concept is that there is no silver bullet in security. You can employ the most advanced firewall and have the best system admins to manage it, but when someone clicks on a link they shouldn’t, that firewall becomes an expensive paper weight. Therefore, the best approach to security is to have different layers of security. We have the firewall to protect the perimeter, but we also have antivirus to stop some of the malware when our employee clicks a link. And when that fails, we have alerting and incident response. Segmentation fits right into this concept. When an employee from marketing clicks on a link, we want to prevent them from getting to customer credit card data, which is the crown jewels of your organization as far as your compliance is concerned. That means we should segment them from our IT Department so they can’t elevate their permissions, but it also means we should segment them from our credit card information.
I hope this helps demonstrate the importance of PCI segmentation more than the little blurb you see at the top of PCI DSS 3.2. As always, please leave a comment below with any questions or thoughts, we would love to hear from you.