Simplifying PCI-DSS Compliance with Micro-Segmentation

The Payment Card Industry Data Security Standard (PCI-DSS) is a critical compliance standard for any credit card merchant. It includes a variety of requirements that ensure merchants protect their customers’ credit card information. Non-compliance can have serious consequences, including:

• Fines ranging from $5,000 to $100,000 per month, rising over time until the merchant is in full compliance
• Sanctions that can rise to the level of termination of the ability to accept payment cards
• Liability for losses that customers may suffer in the event of a breach

Clearly, it’s vital that businesses have the right kind of controls in place to comply with PCI-DSS. The good news is that today’s cybersecurity tools – such as those for visualization and data discovery – help define the perimeters of the Cardholder Data Environment (CDE) and assist with compliance. One of the most effective ways merchants can comply with PCI-DSS is by implementing micro-segmentation. Micro-segmentation enables merchants to isolate system/process components from the cardholder data environment, making it more difficult for hackers to access credit card information. This way, even if one part of a merchant’s network is breached, that sensitive cardholder data will be secure. (Note: A new version of PCI-DSS, Version 4.0, is expected to be released in late 2020 or early 2021. Micro-segmentation has the potential to take on even greater importance in PCI-DSS 4.0 given some of the expected changes to the standard, such as those that involve securing cloud and serverless workloads.)

Reduce and Control PCI-DSS Compliance Scope with Micro-Segmentation

Because merchants rely on multiple systems and processes to conduct business, the nightmare scenario is that a breach in one of those systems/processes compromises the entire network. Micro-segmentation shines in its ability to help merchants avoid that situation by properly isolating system components from the cardholder data environment (CDE). Micro-segmentation can be used to reduce the scope of the CDE in complex network architectures, including cloud-based VMs or containers. That way, even if the out-of-scope system component is compromised, it won’t impact the security of the CDE. Plus, when micro-segmentation is combined with a visualization tool, it can be used to clearly define the extent of the cardholder environment. (Furthermore, the tool can help meet the PCI standard that requires entities to maintain a diagram of cardholder data flows across systems and networks.) This comes in handy when merchants must prove compliance with PCI-DSS. Micro-segmentation can help merchants simplify audits — traditionally long and pain-staking processes – because the audit will only consider those systems within the particular micro-segments that make up the CDE and the processes and controls operating on those micro-segments.

Prevent Lateral Movement with Micro-Segmentation Controls

Lateral movement is cause for concern in environments where breaches can cause huge monetary losses to companies. It goes without saying that basically any credit card-accepting business faces that type of risk. Many of the best-known PCI-DSS breaches have involved insiders who were able to gain access via malware spread laterally within the network. Isolation of such malware is difficult, and these attacks can go unnoticed for weeks and even months. Limiting this type of lateral movement (East-West) is vital to ensuring PCI-DSS compliance. Micro-segmentation prevents lateral attacks within the network by separating the most sensitive systems and enabling granular security controls. It creates specific policies for highly sensitive workloads and, importantly, these protections remain in place as workloads move around in today’s highly dynamic environments. When it comes to PCI-DSS compliance, micro-segmentation helps contain lateral movement from an out-of-scope area to a sensitive CDE area.

Map and Manage Vulnerabilities with a Zero Trust Approach

Implementing a zero-trust approach validates administrative access to each system. It also enables the creation of policies for different security levels, preventing lateral moves from weaker entry points. Zero-trust technology solutions that have labelling functionality also provide more granular visibility into flows and communications. This is useful for card-accepting merchants who historically have struggled to prove that the systems they have deemed out-of-scope are actually separate from their CDE. Once policies are created, the zero-trust approach enables effective management of the different micro-segments and the communications allowed between them. Where the traditional firewall and router approach falls short, the zero-trust approach is less complicated, and thereby enables more effective compliance.

Full PCI-DSS Compliance: A Comprehensive Approach

Although micro-segmentation is an important part of PCI-DSS compliance, it’s not the only tool that many merchants will need to meet all of the standard’s requirements. PCI-DSS compliance can only be met with a comprehensive risk-based security approach that includes:

• Powerful visibility
• Responsive endpoint protection
• Application security (that offers similar capabilities to an application firewall)

To learn more about how your company can simplify PCI-DSS compliance, contact us. About the Author: Dr. Darren Brooks is the former Head of Global Compliance at ColorTokens.