Home Compliance StandardsPCI DSS What is PCI Network Segmentation Testing?
PCI DSS

What is PCI Network Segmentation Testing?

by RSI Security
written by RSI Security
computer

Practically every business must fear—or at least be wary of—the threat of cyberattacks. This is especially true for businesses that process, transmit, or store payment data. It’s very likely that your business performs one of if not all three of those actions. If that’s the case, then you’re required to follow the Payment Card Industry Data Security Standard (PCI-DSS). Additionally, it’s strongly encouraged that you conduct biannual PCI network segmentation testing.

But what exactly is PCI network segmentation testing? And how do you go about executing an individual test? We’ll answer these questions and more below.

 

What is Network Segmentation? 

Before we can dive into the requirements and how-tos of network segmentation, it’s critical to first understand its purpose and function.

The fundamental concept of network segmentation is that data within a computer network can and should be cordoned off, or segmented into isolated sections within a virtual local area network (VLAN).

This separation allows a business to treat segments of their network differently when it comes to cybersecurity practices; low risk segments have fewer restrictions whereas the higher risk segments are much more heavily guarded.

Benefits of network segmentation include:

  • Thwart unauthorized traffic from penetrating CDE
  • Direct the flow of traffic amongst subnets
  • Prevent traffic flows should you choose to do so
  • Improve network performance
  • Keep any cybersecurity issues localized to their segment

By isolating critical data from other segments, you reduce your overall risk profile. For example, when it comes to cardholder data (CD)—which includes cardholder name, card number, expiration date, and CVV— it’s best to store all of that information in an area isolated from other databases. This is what’s known as either a cardholder data environment (CDE) or a PCI in-scope.

All other remaining segments are considered PCI out-of-scope.

Download Our PCI DSS Checklist

What is PCI Penetration Testing?

Penetration testing is one of the most effective ways you can ensure that segmentation is in place, working as expected, and has isolated CDE from the other networks. Typically, it involves three steps:

  1. Assess – Identify all locations of cardholder data, including your inventory of IT assets and processes for payment card processing. Look for vulnerabilities that could potentially expose cardholder data.
  2. Repair – Fix the discovered security gaps, remove inessential cardholder data storage, and install better processes to protect your business.
  3. Report – Document the assessment and remediation actions.

Per the PCI Security Standards Council, PCI requires that penetration testing should test segmentation controls using both internal and external penetration tests. The end goal of the tests is to ensure that there’s zero connectivity between in-scope CDE and out-of-scope segments. Should your PCI penetration testing discover exploitable cybersecurity gaps, they must be addressed immediately.

 

Interested in PCI Network Test? Schedule a FREE consultation!

 

PCI DSS 3.2.1’s Impact on Penetration Testing Requirements 

The newest version of the PCI DSS offers a 12 step structure to secure cardholder data that is stored, processed, or transmitted by your business.

While the requirements haven’t changed since the introduction of segmentation checks in version 3.0, there have been two new clarifications with the release of versions 3.2 and 3.2.1:

  • 3.2 – Segmentation tests are required to be conducted by an independent third-party or a qualified internal resource that was uninvolved in the management, maintenance, or design of the PCI environment.
  • 3.2.1 – Service providers are required to perform penetration tests on segmentation controls every six months, or after any significant changes to segmentation or methodology.

Types of Penetration Tests 

There are several ways to conduct a penetration test, but in most cases they’ll fall under one of two categories—internal penetration test and external penetration test. 

Internal penetration tests are also referred to as “white box tests.” With an internal test the “hacker” starts with knowledge about the system being tested. According to PCI, such information can include:

  • A network diagram
  • Results from a QSA review or Self-Assessment Questionnaire (SAQ)
  • Annual testing of controls to identify vulnerabilities and stop unauthorized access
  • Results from quarterly external and internal vulnerability scans
  • Results from the last penetration test
  • Annual identification of threats and vulnerabilities resulting in a risk assessment
  • Annual review of security policies (policies that need to be updated may identify
  • New risks in an organization

Internal PCI penetration testing costs less than external penetration testing, also known as “black box testing.” This simulates a real life attack where the average hacker starts with little to no info on the architecture diagrams or source code. Having no prior knowledge, the tester must first locate the systems in question before attempting to penetrate their cybersecurity defenses.

Both penetration methodologies have their strengths and weaknesses, particularly when it comes to accuracy, speed, efficiency, and coverage. To see what works best for your situation, consult with an expert.

 

What are the Requirements of PCI DSS?  

To be PCI DSS compliant your business must meet all of its requirements. One of the ways you can do this is through a prioritized approach toward network segmentation, which seeks to achieve six crucial milestones:

  1. Remove sensitive authentication data and limit data retention – The goal of the initial milestone is to target your high-risk areas that have been or could be compromised. If you don’t store sensitive data, a security breach will be far less a threat to your business and its clients.
  2. Protect systems and networks, and be prepared to respond to a system breach – This focuses on controlling the access points and preparing processes to respond to a compromise.
  3. Secure payment card applications – This milestone seeks to control applications, application processes, and application servers. If there are vulnerabilities within these, hackers could easily exploit the system and access cardholder information.
  4. Monitor and control access to your system – By adding these controls you can answer the who, what, when, and how for anyone seeking to access your network and CDE.
  5. Protect stored cardholder data – If you are required to store Primary Account Numbers (PAN), there must be protection mechanisms put in place for that saved data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place – All policies, procedures, and processes related to protecting the CDE require verification of alignment with PCI DSS requirements.

So, what are the 12 PCI DSS Requirements that must be installed and then segment tested?

 

Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

The first two PCI DSS requirements are dedicated to building and then maintaining a secure network and systems.

In the past, accessing customer financial records required a thief to physically steal the information from a business. Now that payment information is stored on digital networks, cybercriminals can access payment system networks virtually and then swipe the critical data.

Firewalls control the traffic that comes in and out of your network, particularly to sensitive areas. It’s critical that you establish and implement firewall and router configurations that restrict connections with untrusted networks and prevent public access.

 

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

The simplest way a hacker can gain access to your internal network is via exploits of default passwords or software settings in your CDE.

Far too many businesses make the mistake of not changing their default passwords or settings. Experienced hackers can easily bypass these “security measures.” All your other security efforts will be in vain if you practice lax cryptography.

Using a password generator is one of the oldest tricks in the book.

 

Requirement 3: Protect Stored Cardholder Data

If your organization accepts payment cards, you’re required to protect cardholder data and prevent hackers from stealing it. Don’t store cardholder data unless it’s absolutely necessary. Examples include:

  • Regulatory purposes
  • Legal purposes
  • Business purposes

Try to limit storage and retention time to the bare minimum, and then purge unnecessary data at least on a quarterly basis. Also, the sensitive data on the chip or magnetic stripe should never be stored, even if it’s encrypted.

In addition, there are rules for how primary account numbers are displayed. For instance, you should never reveal more than the first six or last four digits on the card.

 

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

The primary way that hackers attempt to intercept cardholder data transmission is over open and public networks.

Knowing this, it’s critical that any data is encrypted so as to render it unreadable except to the authorized user. This limits the opportunity for cybercriminals to derive any benefit out of a data interception.

Company-wide encryption hinges upon robust cryptography and cybersecurity protocols.

 

Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs

A major aspect of risk mitigation is constantly and systematically finding weaknesses in your payment card infrastructure system.

The simplest way to prevent malware exploits is by deploying an anti-virus software, which applies to the whole of the system and all devices, including:

  • Workstations
  • Laptops
  • Mobile devices

Antivirus programs should be active and regularly updated on all devices that access the system—whether locally or remotely.

Requirement 6: Develop and Maintain Secure Systems and Applications

Your organization must limit the potential for hackers to perform exploits by installing and updating security patches. 

Vulnerabilities must be discovered and then prioritized by order of threat. When new code or patches are applied, they need to be aligned with the PCI DSS and then analyzed for gaps or weaknesses.

 

Requirement 7: Restrict Access to Cardholder Data by Business Need-to-Know

Put systems and processes in place to limit access to only authorized personnel. This not only prevents hackers from gaining access but also prevents unauthorized employees from accessing sensitive data unless it’s within the context of their current task.

By limiting data to a need-to-know basis you make it even harder for a hacker to compromise cardholder information. Even if it’s the right person, if their request isn’t related to a permitted access, it’ll then be denied.

 

Requirement 8: Identify and Authenticate Access to System Components

If you want strong control measures, then every authorized user requires a unique identifier. This ensures that if someone does access cardholder data, you’ll be able to trace the activity and tie it to a known user. Such precautions make it easier to flag unauthorized access.

Additionally, if users request access remotely, they must provide two-factor authorization.

 

Requirement 9: Restrict Physical Access to Cardholder Data

Another critical security control involves restricting physical access to sensitive data. This includes your employees, vendors, visitors, and contractors who might have an opportunity to retrieve data through a device, system, or hard copy.

Sensitive data must be secured and any movement on-site should be restricted, monitored, and logged.

 

Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data

You must monitor and test your network on a regular basis.

To be able to monitor in real-time, set up logging mechanisms that are capable of tracking user activities and then producing detailed system activity logs.

 

Requirement 11: Regularly Test Security Systems and Processes

Since there are always new vulnerabilities being discovered, it’s critical that your system’s components, processes, and software are tested frequently via segmentation tests.

 

Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel

All employees must be engaged with your cybersecurity goals and actions. It takes a team effort to implement and maintain PCI DSS compliance. This necessitates an annual review of your processes and policies.

 

How Do You Perform PCI Network Segmentation Testing

The risk of cybersecurity attacks has never been greater. Today, network segmentation is one of the primary ways you can mitigate the chances that an attack is successful.

If you want to comply with PCI DSS, then it’s critical that you perform PCI network segmentation testing at least once every six months. And while you could possibly perform this test internally, it’s much better to have an unbiased outside party act as an arbitrator on your behalf.

This is where RSI Security can assist.

We provide rigorous compliance advisory services and testing to ensure that your operation is compliant with PCI DSS requirements. Whether you want to perform internal or external network segmentation, our team of experts can help you identify cybersecurity gaps and then install corrective actions.

Together, we can ensure that your business and its customers are safe and secure.

 

Speak with a PCI compliance expert today!

 

Schedule a free consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

Avoiding a Credit Card Data Breach

May 23, 2018

How To Become PCI Compliant — A Step...

October 29, 2019

How to Prevent a Data Breach At a...

January 15, 2020

Compliance Risk Examples in Banking and Financial Services

September 23, 2022

PCI DSS Best Practices for Compliance

November 25, 2021

Upcoming PCI Programs And Changes

February 1, 2019

Can card verification codes be stored for recurring...

April 18, 2018

How to Gain QSA Designation

May 16, 2018

Which is Better: PCI DSS 4.0 Compensating Controls...

August 16, 2023

What Data Falls Under PCI Compliance?

March 1, 2021

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More