In the security world, segmentation is a common strategy for protecting sensitive data from unauthorized access and reducing PCI scope. In simple terms, it involves keeping any parts of a network that touch sensitive data away from other parts of the network. (In practice, it’s a bit more complicated, but the ultimate goal is to prevent communication between various systems.)
This effort, when implemented correctly, can help keep parts of your network out of scope for PCI reporting and audits. (That means that you don’t have to include them when you complete your mandatory self-assessment questionnaires, which can be a huge time and cost savings for your IT team. Learn more about PCI compliance requirements for merchants here.)
It’s important to keep in mind that any segmentation efforts must be reviewed and approved by a PCI QSA (qualified security assessor). These are the only people who can help you confirm that you’re meeting all of your compliance requirements. It’s best to assume that all parts of your network are in scope until you’ve confirmed otherwise. However, Curbstone has helped hundreds of merchants remove parts of their network from PCI scope with isolated credit card processing technologies, and the below information can help you get started on your scope reduction journey.
Is Segmentation Required for PCI Compliance?
The Payment Card Industry does not require merchants to segment their networks to be PCI-compliant. It is simply one method that can help reduce the number of system components that are considered in scope.
Segmentation also helps reduce the risk of your customers’ payment data being breached. By consolidating your sensitive data into fewer, more controlled locations, you add an extra layer of protection if – for any reason – one of your systems were to become compromised.
What is Considered “Connected” in a Segmented Environment?
Everything in a merchant’s cardholder data environment (CDE) is considered in scope. The CDE includes any people, processes, or technologies that store, process, or transmit (or could impact the security of) cardholder data or sensitive authentication data. It also includes any system components that are on the same network segment.
Any systems with connectivity to, or that can otherwise access, a merchant’s CDE are considered “connected-to” systems. Connected-to systems are also considered in scope for PCI.
In contrast, system components that meet the following criteria are considered out of scope:
- They do not store, process, or transmit cardholder data, AND
- They are not on the same network segment or in the same subnet as in-scope systems
- They do not connect to or access any system in the CDE
- They cannot gain access to the CDE
- They cannot impact any of the security controls for the CDE
When it comes time to complete your next PCI compliance report, you can exclude out-of-scope systems as approved by your QSA.
Methods of PCI Segmentation
According to the PCI Security Standards Council’s Guidance for PCI DSS Scoping and Segmentation, “segmentation can consist of logical controls, physical controls, or a combination of both.” Firewalls and router configurations are some of the most common methods for segmenting systems and subnets. You can learn more about the applicable controls in the latest version of the PCI DSS.
They do caution, however, that controls must be purposefully designed for the sake of segmentation. “The existence of separate network segments alone does not automatically create PCI DSS segmentation. [The controls must] specifically create and enforce separation and prevent compromises originating from the out-of-scope network(s).”
Another Option for Reducing Your PCI Scope
At Curbstone, our goal is simple: to help you quickly and securely process credit and debit card payments without processing, storing, or transmitting data on your own network. Our technologies help you bypass most – if not all – of your existing infrastructure, in turn reducing your PCI scope.
Here’s a quick rundown:
- When you process payments in person, our EMV Terminals remain separate from the rest of your network. They use a designated Wi-Fi connection to transmit data from your credit card machine to your acquirer, keeping that data off the rest of your physical infrastructure.
- When you process payments online, our iFrame-based Payment Landing Pages transmit data directly from the Curbstone-hosted payment form to your acquirer, keeping it separate from your shopping cart and web server.
- When you process payments over the phone or by mail, our Isolated Payment Terminals transmit data from your device to your acquirer, again relying on their own Wi-Fi connection to keep your back-office systems segmented from PCI scope.
Depending on the technologies you use and the way you have the rest of your network configured, you may be able to avoid the long, time-consuming PCI SAQ-D. Instead, you may be able to qualify for one of the shorter versions (such as the SAQ-A or SAQ-C). This can save your IT team days – if not weeks – every year.
If you’d like to learn more about PCI scope reduction with Curbstone’s payment processing technologies, download our free Solutions Whitepaper or start a conversation with one of our PCI-Certified Qualified Integrators and Resellers.
