Practically every business must fear—or at least be wary of—the threat of cyberattacks. This is especially true for businesses that process, transmit, or store payment data. It’s very likely that your business performs one of if not all three of those actions. If that’s the case, then you’re required to follow the Payment Card Industry Data Security Standard (PCI-DSS). Additionally, it’s strongly encouraged that you conduct biannual PCI network segmentation testing.
But what exactly is PCI network segmentation testing? And how do you go about executing an individual test? We’ll answer these questions and more below.
What is Network Segmentation?
Before we can dive into the requirements and how-tos of network segmentation, it’s critical to first understand its purpose and function.
The fundamental concept of network segmentation is that data within a computer network can and should be cordoned off, or segmented into isolated sections within a virtual local area network (VLAN).
This separation allows a business to treat segments of their network differently when it comes to cybersecurity practices; low risk segments have fewer restrictions whereas the higher risk segments are much more heavily guarded.
Benefits of network segmentation include:
- Thwart unauthorized traffic from penetrating CDE
- Direct the flow of traffic amongst subnets
- Prevent traffic flows should you choose to do so
- Improve network performance
- Keep any cybersecurity issues localized to their segment
By isolating critical data from other segments, you reduce your overall risk profile. For example, when it comes to cardholder data (CD)—which includes cardholder name, card number, expiration date, and CVV— it’s best to store all of that information in an area isolated from other databases. This is what’s known as either a cardholder data environment (CDE) or a PCI in-scope.
All other remaining segments are considered PCI out-of-scope.
What is PCI Penetration Testing?
Penetration testing is one of the most effective ways you can ensure that segmentation is in place, working as expected, and has isolated CDE from the other networks. Typically, it involves three steps:
- Assess – Identify all locations of cardholder data, including your inventory of IT assets and processes for payment card processing. Look for vulnerabilities that could potentially expose cardholder data.
- Repair – Fix the discovered security gaps, remove inessential cardholder data storage, and install better processes to protect your business.
- Report – Document the assessment and remediation actions.
Per the PCI Security Standards Council, PCI requires that penetration testing should test segmentation controls using both internal and external penetration tests. The end goal of the tests is to ensure that there’s zero connectivity between in-scope CDE and out-of-scope segments. Should your PCI penetration testing discover exploitable cybersecurity gaps, they must be addressed immediately.
PCI DSS 3.2.1’s Impact on Penetration Testing Requirements
The newest version of the PCI DSS offers a 12 step structure to secure cardholder data that is stored, processed, or transmitted by your business.
While the requirements haven’t changed since the introduction of segmentation checks in version 3.0, there have been two new clarifications with the release of versions 3.2 and 3.2.1:
- 3.2 – Segmentation tests are required to be conducted by an independent third-party or a qualified internal resource that was uninvolved in the management, maintenance, or design of the PCI environment.
- 3.2.1 – Service providers are required to perform penetration tests on segmentation controls every six months, or after any significant changes to segmentation or methodology.
Types of Penetration Tests
Internal penetration tests are also referred to as “white box tests.” With an internal test the “hacker” starts with knowledge about the system being tested. According to PCI, such information can include:
- A network diagram
- Results from a QSA review or Self-Assessment Questionnaire (SAQ)
- Annual testing of controls to identify vulnerabilities and stop unauthorized access
- Results from quarterly external and internal vulnerability scans
- Results from the last penetration test
- Annual identification of threats and vulnerabilities resulting in a risk assessment
- Annual review of security policies (policies that need to be updated may identify
- New risks in an organization
Internal PCI penetration testing costs less than external penetration testing, also known as “black box testing.” This simulates a real life attack where the average hacker starts with little to no info on the architecture diagrams or source code. Having no prior knowledge, the tester must first locate the systems in question before attempting to penetrate their cybersecurity defenses.
Both penetration methodologies have their strengths and weaknesses, particularly when it comes to accuracy, speed, efficiency, and coverage. To see what works best for your situation, consult with an expert.
What are the Requirements of PCI DSS?
To be PCI DSS compliant your business must meet all of its requirements. One of the ways you can do this is through a prioritized approach toward network segmentation, which seeks to achieve six crucial milestones:
- Remove sensitive authentication data and limit data retention – The goal of the initial milestone is to target your high-risk areas that have been or could be compromised. If you don’t store sensitive data, a security breach will be far less a threat to your business and its clients.
- Protect systems and networks, and be prepared to respond to a system breach – This focuses on controlling the access points and preparing processes to respond to a compromise.
- Secure payment card applications – This milestone seeks to control applications, application processes, and application servers. If there are vulnerabilities within these, hackers could easily exploit the system and access cardholder information.
- Monitor and control access to your system – By adding these controls you can answer the who, what, when, and how for anyone seeking to access your network and CDE.
- Protect stored cardholder data – If you are required to store Primary Account Numbers (PAN), there must be protection mechanisms put in place for that saved data.
- Finalize remaining compliance efforts, and ensure all controls are in place – All policies, procedures, and processes related to protecting the CDE require verification of alignment with PCI DSS requirements.
So, what are the 12 PCI DSS Requirements that must be installed and then segment tested?
Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data
The first two PCI DSS requirements are dedicated to building and then maintaining a secure network and systems.
In the past, accessing customer financial records required a thief to physically steal the information from a business. Now that payment information is stored on digital networks, cybercriminals can access payment system networks virtually and then swipe the critical data.
Firewalls control the traffic that comes in and out of your network, particularly to sensitive areas. It’s critical that you establish and implement firewall and router configurations that restrict connections with untrusted networks and prevent public access.
Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
The simplest way a hacker can gain access to your internal network is via exploits of default passwords or software settings in your CDE.
Far too many businesses make the mistake of not changing their default passwords or settings. Experienced hackers can easily bypass these “security measures.” All your other security efforts will be in vain if you practice lax cryptography.
Using a password generator is one of the oldest tricks in the book.
Requirement 3: Protect Stored Cardholder Data
If your organization accepts payment cards, you’re required to protect cardholder data and prevent hackers from stealing it. Don’t store cardholder data unless it’s absolutely necessary. Examples include:
- Regulatory purposes
- Legal purposes
- Business purposes
Try to limit storage and retention time to the bare minimum, and then purge unnecessary data at least on a quarterly basis. Also, the sensitive data on the chip or magnetic stripe should never be stored, even if it’s encrypted.
In addition, there are rules for how primary account numbers are displayed. For instance, you should never reveal more than the first six or last four digits on the card.
Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks
The primary way that hackers attempt to intercept cardholder data transmission is over open and public networks.
Knowing this, it’s critical that any data is encrypted so as to render it unreadable except to the authorized user. This limits the opportunity for cybercriminals to derive any benefit out of a data interception.
Company-wide encryption hinges upon robust cryptography and cybersecurity protocols.
Requirement 5: Protect All Systems Against Malware and Regularly Update Anti-Virus Software or Programs
A major aspect of risk mitigation is constantly and systematically finding weaknesses in your payment card infrastructure system.
The simplest way to prevent malware exploits is by deploying an anti-virus software, which applies to the whole of the system and all devices, including:
- Mobile devices
Antivirus programs should be active and regularly updated on all devices that access the system—whether locally or remotely.
Requirement 6: Develop and Maintain Secure Systems and Applications
Your organization must limit the potential for hackers to perform exploits by installing and updating security patches.
Vulnerabilities must be discovered and then prioritized by order of threat. When new code or patches are applied, they need to be aligned with the PCI DSS and then analyzed for gaps or weaknesses.
Requirement 7: Restrict Access to Cardholder Data by Business Need-to-Know
Put systems and processes in place to limit access to only authorized personnel. This not only prevents hackers from gaining access but also prevents unauthorized employees from accessing sensitive data unless it’s within the context of their current task.
By limiting data to a need-to-know basis you make it even harder for a hacker to compromise cardholder information. Even if it’s the right person, if their request isn’t related to a permitted access, it’ll then be denied.
Requirement 8: Identify and Authenticate Access to System Components
If you want strong control measures, then every authorized user requires a unique identifier. This ensures that if someone does access cardholder data, you’ll be able to trace the activity and tie it to a known user. Such precautions make it easier to flag unauthorized access.
Additionally, if users request access remotely, they must provide two-factor authorization.
Requirement 9: Restrict Physical Access to Cardholder Data
Another critical security control involves restricting physical access to sensitive data. This includes your employees, vendors, visitors, and contractors who might have an opportunity to retrieve data through a device, system, or hard copy.
Sensitive data must be secured and any movement on-site should be restricted, monitored, and logged.
Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
You must monitor and test your network on a regular basis.
To be able to monitor in real-time, set up logging mechanisms that are capable of tracking user activities and then producing detailed system activity logs.
Requirement 11: Regularly Test Security Systems and Processes
Since there are always new vulnerabilities being discovered, it’s critical that your system’s components, processes, and software are tested frequently via segmentation tests.
Requirement 12: Maintain a Policy that Addresses Information Security for All Personnel
All employees must be engaged with your cybersecurity goals and actions. It takes a team effort to implement and maintain PCI DSS compliance. This necessitates an annual review of your processes and policies.
How Do You Perform PCI Network Segmentation Testing?
The risk of cybersecurity attacks has never been greater. Today, network segmentation is one of the primary ways you can mitigate the chances that an attack is successful.
If you want to comply with PCI DSS, then it’s critical that you perform PCI network segmentation testing at least once every six months. And while you could possibly perform this test internally, it’s much better to have an unbiased outside party act as an arbitrator on your behalf.
This is where RSI Security can assist.
We provide rigorous compliance advisory services and testing to ensure that your operation is compliant with PCI DSS requirements. Whether you want to perform internal or external network segmentation, our team of experts can help you identify cybersecurity gaps and then install corrective actions.
Together, we can ensure that your business and its customers are safe and secure.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.