Coffee with the Council Podcast: Scoping and Segmentation: Navigating Modern Network Architecture and PCI DSS v4.x

Welcome to our podcast series, Coffee with the Council. I’m Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. Recently, PCI SSC published a new information supplement called PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures. This document was produced by the 2023 Special Interest Group, also called a SIG, who spent a year collaborating on this project, which was led by the Council’s own Kandyce Young, Manager of Data Security Standards. I am joined by Kandyce today to help walk us through what made this particular Special Interest Group and topic so special. It’s great to have you here, Kandyce.

Kandyce Young: I’m so very glad to be here, Alicia, and to talk about an industry-driven project that is very, very near and dear to my heart. I mean, it’s special, not just because I had the privilege of chairing a group of some of the brightest minds from the most innovative organizations in the world of payment security, but also because this is a topic that many in the industry have been asking about since PCI DSS v4.0 was released in March 2022.

Questions like, how can I apply PCI DSS networking controls in a zero-trust environment? Or, if my environment is both on premises and in the cloud, how can I adjust segmentation controls? And what about micro segmentation? Guidance is provided to address all of these questions in this document.

Alicia Malone: That is awesome. So, let’s start from the beginning. For those who may not be familiar with Special Interest Groups, let’s start by explaining the process. What exactly is the purpose of a Special Interest Group and how did this topic get selected?

Kandyce Young: So special interest groups, or SIGs, are community-driven initiatives that play a key role in the development of resources for the payment card industry. This approach makes sure that the content we publish is relevant and applicable to support security currently and for the future of the payments industry.

In the past, SIGs developed guidance documents on container orchestration tools and cloud computing or best practices for securing e-commerce. All of those can be found in the Document Library of our website right now.

As for how SIGs are developed, well the first step is Participating Organizations, which we’ve got representation from organizations across the entire payments ecosystem, the assessor community, Approved Scanning Vendors, or ASVs, and payment brands, they can propose a topic during the SIG proposal period. Then there’s an election period where those topics are voted on by Participating Organizations, or POs, as I’ll call them. POs get this final say to ensure that stakeholders who are involved in implementing and supporting PCI Security Standards are the ones that are selecting which SIG projects would be the most beneficial to their needs.

So finally, the topic with the most votes by POs is selected and then we seek volunteers from the PO community and the assessor community to meet on a regular basis to develop content and pull from their expertise and extensive industry experience on that particular topic.

So, that’s the process in a nutshell. It’s quite collaborative and really, it’s a voice for the industry from the industry. And we’re very glad that PCI SSC is the vehicle to drive this industry contribution and really that the industry is quite keen to contribute in this way.

Alicia Malone: Well, PCI DSS is one of our most popular standards, so it makes sense that our industry would want more guidance on different aspects of it. What was your role as chair on this project?

Kandyce Young: PCI DSS ultimately was developed to encourage and enhance payment account data security and to facilitate the broad adoption of consistent data security measures all across the globe. With constant technological advancements being made with tools, security controls, and also with a variety of service provider offerings now available, there’s bound to be some questions on how to keep all of this data secure in the face of this evolution.

So as the chair of this project, my goal was to make sure that we stayed on track to provide these best practices or provide guidance on the core elements of this topic. We knew we wanted to dive deeper into scoping and segmentation practices for modern network architecture, but we also knew that we couldn’t boil the ocean.

So, we narrowed it down to five key areas: determining the impact of zero trust architecture on PCI DSS scope and network segmentation; looking at defining PCI DSS scope boundaries in micro segmentation and multi cloud implementations; looking at how to develop and maintain a PCI DSS asset inventory given the ephemeral nature of cloud-hosted microservices and systems; looking at the risks associated with the implementation of modern network architectures, given the complexity of these modern system configurations, because with the ease of use of modern network architecture, certainly brings about additional risks and often additional complexity that we must address. And finally, we wanted to provide guidance on specific PCI DSS requirements for verifying scope and segmentation controls, and I believe we did just that.

Alicia Malone: So, what made this particular Special Interest Group stand apart from other Special Interest Groups that the Council has conducted in the past? What would you say were the components that really made this process so special?

Kandyce Young: This group was really special because we received extensive contributions from many, many members of this group. Over 81 different companies contributed, and that’s many more individuals from those organizations. So extensive contributions. This document really represents unified industry acknowledgement and guidance to support the fundamental shift that we’ve seen to network architecture, which has been fueled by an increased emphasis on identity and access management, and the evolution to dynamic and distributed modern network architecture environments. And that, yes, they can be secured by PCI DSS without having to compromise innovation.

This document contains quite a few scenarios and diagrams to explain common segmentation approaches in detail. For example, how to use a proxy to control, manage, and authorize traffic to and from the cardholder data environment, or the CDE, to support a comprehensive segmentation strategy, which is really with the goal of restricting account data to as few locations as possible by eliminating unnecessary data and consolidating that necessary data.

The final thing that makes this SIG stand out is really, though we’ve included a sample responsibility matrix and a sample inventory in some of our other guidance documents, the ones in this document were developed based on real world experiences with third-party service providers now and takes into account how granular services can be. Back end CDE, front end CDE, under cloud management, all of those things are incorporated. So, it’s definitely a valuable tool that organizations can use in their contractual discussions with their service providers now. And some of the organizations involved in this SIG can attest to their benefits because they’ve used them, and it’s been helpful to them and that’s why we’ve incorporated them.

Alicia Malone: Wow, there is so much great information in this new information supplement, but I imagine that the process probably wasn’t that easy to put it all together. What kind of challenges did you face in working with the SIG and putting this informational supplement together?

Kandyce Young: So, this document could have easily been a textbook because as I mentioned, we received considerable content from a lot of members throughout the payments industry. And really we’ve had extensive discussions about let’s say scope, because scoping discussions could last all day. But part of my job as a chair included streamlining the material to what was specifically new and relevant to the payment card industry and securing payment data.

So for example, cloud implementations and detail on the types of cloud deployment models or containers and orchestration tools and detailed descriptions on those. Instead of including that detail, we’ve added references to our other information supplements where this detail can be found, such as the cloud computing information supplement or guidance for containers and container orchestration tools information supplement. Instead, we wanted to focus on new, never before published content in this document, but still making sure that the audience knew where to find this related content.

Alicia Malone: I really like that approach, Kandyce. I think that makes a lot of sense. Kandyce, what’s the one thing or the most important thing that you would like readers to take away from this document?

Kandyce Young: If I could, I’d like to say two things, actually. First is, readers will notice that this document does require a base level understanding of foundational scoping and segmentation rules. So, I recommend that before reading this document, if you’re new to PCI DSS, let’s say, start with PCI DSS itself, or you can start with the information supplement we have guidance for PCI DSS scoping and segmentation. Our latest document isn’t an update to that one. It builds on scoping and segmentation, but through the lens of modern network architecture.

The second point is that PCI DSS version 4.x can secure a variety of modern network architectures out in the wild now. So, environments that employ network virtualization technologies such as service meshes, software defined networking, or innovative software deployment models, infrastructures code, zero trust architectures. Regardless of the modern network architecture the organization deploys, certain factors should remain consistent to ensure effective PCI DSS scoping and segmentation practices. These include the consistent application of documented policies, strong identity and access management practices, and a solid understanding of where the data is stored and how it flows. This understanding is fundamental to PCI DSS scoping and segmentation practices and should be a priority in any network architecture decision. With these components, applying PCI DSS controls in any of these modern network architectures can be achieved without compromising innovation.

Alicia Malone: That’s wonderful, Kandyce. I know a lot of work went into this document and you must be so proud of the results. And so, we’re so glad to have you here today to really help explain what went into producing this document and all of the details involved in it. And of course, since you’re on Coffee with the Council, I would be remiss if I didn’t ask you how you take your coffee or if you’re not a coffee drinker, what do you prefer instead?

Kandyce Young: I certainly am a coffee drinker, and I take my coffee black, but maybe a splash of almond milk if it’s around. But when I was working on this SIG guidance document, I certainly did incorporate a shot of espresso in it as well.

Alicia Malone: I bet you did. Probably a lot of late nights. Well, thank you so much for joining us on Coffee with the Council, Kandyce. It’s so insightful to learn more about the value of Special Interest Groups and the important guidance that they produce. Congratulations to you, and to the group, on a job well done in this effort.

Kandyce Young: You know, it really was my pleasure, Alicia, and all of the companies involved in this document can be found in the Acknowledgements section of the document. So, I’m very thankful to each and every member for volunteering your time, effort, and considerable knowledge to making this document as meaningful as it is. So, thank you.

Alicia Malone: And you can download the new information supplement PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures in our Document Library on our website at PCISecurityStandards.org. Thank you so much.

Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.