Too many data breach reports show that companies suffering compromises were unaware that cardholder data was present in their systems.
The Payment Card Industry Security Standards Council wants to fix this, but it's a bit of a double-edge sword considering that this means targeting companies that are already performing PCI assessments.
Companies show they are compliant by going through an assessment and reducing data exposure. But they may be overlooking an essential aspect — that PCI compliance is a starting point, and may not cover every aspect of a company's systems. Famously, Heartland Payment Systems had repeatedly validated its PCI compliant status before disclosing a breach in early 2009 involving systems and data its PCI audits overlooked.
To address those kinds of situations, the PCI council has published new "Guidance for PCI DSS Scoping and Segmentation" to clarify basic scoping and segmentation principles that can help companies understand where data might be hiding unprotected in their systems.
The guidance is designed to help organizations better identify systems that, at a minimum, need to be included in scope for PCI DSS and how segmentation can be used to help reduce the number of systems that require PCI DSS controls.
Network segmentation, or the process of minimizing systems that have access to cardholder data and determining what is in-scope and out-of-scope, has never been a PCI requirement, but the council has consistently pushed it as a sound practice.
"This not only helps reduce cost and effort associated with a PCI DSS assessment, but also provides greater focus to evaluate and monitor those critical systems that remain relevant to protect payment data," PCI chief technology officer Troy Leach said in a statement on the new guidance. "That's why, while not a requirement, we do include guidance directly in the standard because it is a valuable concept to consider."
In the same way PCI and security providers emphasize devaluing data by reducing access and making it difficult to exploit stolen credentials, segmentation limits the assets and locations for cardholder data in a network, Leach said.
The new guidance on segmentation is "more detailed than any scoping guidance we have provided before in any Frequently Asked Questions format or whitepapers," Leach added.
"Segmentation is a very complex topic because every network is very unique," Leach said. The guidance provides principles that each entity can use in a way that works best in their own network, he added.
The new guidance provides talking points for discussions about scoping between merchants, acquirers, issuers and service providers like issuer/processors or token service providers.
Qualified security assessors or acquirers evaluating merchants' or service providers' data security compliance reports or self-assessment questionnaires are included in the guidance in terms of better facilitating a process for effective scoping.