Segmentation is when you create data controls that meet data security requirements. Below are some key ideas related to network segmentation:
The Cardholder Data Environment (CDE)
The Cardholder Data Environment contains a person’s private information. This data comes from their credit or debit card. If you have access to the CDE, you can see information like account numbers and expiration dates.
You need to protect the CDE. If hackers have access to it, they can put false charges on customers’ credit and debit cards.
You can find cardholder data environments in many places. If a computer or system works with credit and debit cards, it is a CDE. Here are some examples of CDEs:
- Networking devices
How PCI DSS and Network Segmentation Work Together
To protect the cardholder data environment, you have to protect the cardholder data. Cardholder data could enter a device in many ways. USB drives, Bluetooth devices, and virtual machines are just a few of these.
Because there are a lot of ways data could enter a system, there are a lot of ways that hackers could access it. You need to protect all ‘entry points’
How Companies Scope Systems
If you want to scope the PCI DSS, you have to look at the different ways data could enter your systems. Write down where you get cardholder data from. Then, think of all the ways someone could access it.
Next, you have to figure out where you work with data. To identify these places, you’ll need to know:
- Who handles the cardholder data
- What they do with the cardholder data
- What software and tools work with the data
At this point, you will have identified the people and places that work with the CDE. Now you will have to create controls and limits that protect your information. You can do this by encrypting the data. You should also use data security techniques.
It is your responsibility to make sure that hackers cannot access customer information. Anytime you change something in the CDE, you will need to upgrade your security measures.
Transferring Risks to Third-Party Service Providers
Third party service providers help your business. They may also work with your cardholder data environment. Unfortunately, this also means that they can put your security at risk.
If you work with any third parties, ask them to prove that they are compliant. You may ask them to show proof that they have completed a security assessment. Choose service providers with care, and always put your customers’ security first.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.