Determining Scope for PCI DSS Compliance
-
Upload
schellman-company -
Category
Technology
-
view
43 -
download
0
Transcript of Determining Scope for PCI DSS Compliance
![Page 1: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/1.jpg)
DETERMINING SCOPE
For PCI DSS Compliance
![Page 2: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/2.jpg)
Audio Commentary Available
You can follow along with Jacob Ansari as he
walks you through this presentation:
VIEW WEBINAR >
![Page 3: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/3.jpg)
Agenda• Basics of Scope
• Looking at the Guidance
• Examples
• Open Q&A
![Page 4: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/4.jpg)
Basics of scope• Store, process, transmit cardholder data
• Connected to the above
• Affects the security of the above
• Page 10 of PCI DSS
![Page 5: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/5.jpg)
Where it gets complicated• What is connected to?
• What about connected to connected to?
![Page 6: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/6.jpg)
Some practical examples• A system in the card data environment
communicating with another network
• Shared IT services network
• IT workstations connecting via jump server
• Call center PCs connecting to a Citrix application
![Page 7: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/7.jpg)
What the new guidance says• Definitions for connected to and security
impacting systems
• Guidance for what to do with those
categories of systems
• Examples
![Page 8: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/8.jpg)
Ok, let’s look at the guidance• All of my screen captures come from the document
![Page 9: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/9.jpg)
![Page 10: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/10.jpg)
Well, now everything is in scope• This may very well expand scope from prior years
• Intended to address all of the relevant threats
• Informed by actual security incidents
• Not all bad news
![Page 11: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/11.jpg)
Connected to connected to
![Page 12: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/12.jpg)
So that means…• An AD DC can potentially serve both in-scope and
out-of-scope segments
• An admin workstation is in scope, but not necessarily
all of the other workstations
![Page 13: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/13.jpg)
What about the fine print?• Still very easy to make mistakes
• You have to validate that the out-of-scope systems
truly can’t get access
• Evaluate the effectiveness of segmentation
• Penetration testing in 11.3.4
![Page 14: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/14.jpg)
So now the workstations need FIM?
![Page 15: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/15.jpg)
So now the workstations need FIM?• Evaluate whether the requirements are applicable
• Default is yes
• Justify why it’s not
![Page 16: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/16.jpg)
An example• CCTV system is in scope
• It supports a PCI DSS control
• Maybe it’s an appliance-like device
• Not running on a Windows machine
• Platform security controls may not apply here
![Page 17: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/17.jpg)
Consider these principles• Sober risk assessment for applicability
• Not just “we don’t think an attack can do anything”
• Informed by real threat information
• Solid risk assessment methodology
![Page 18: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/18.jpg)
Let’s look at an example
![Page 19: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/19.jpg)
Let’s look at an example• IT services shared between scope and out
• This segment is in scope
• Non-card network may not be
• Contingent upon controls to restrict access
![Page 20: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/20.jpg)
What are these controls?• Can’t pass through IT network into CDE
• Non-overlapping administrator accounts
• Only administer the IT network locally
• Only administer the CDE from the IT network
• MFA for access into CDE
![Page 21: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/21.jpg)
Other examples worth mentioning• Admin workstations from corporate network
• Call centers connecting to web-based payment application
• Systems fulfilling DSS requirements:
• Patch management
• Physical security controls
![Page 22: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/22.jpg)
So what do we do now?• Identify your scoping pitfalls
• Contact us with questions
• Start working on new segmentation efforts now
• Make sure your penetration testing addresses this
![Page 23: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/23.jpg)
What about penetration testing?• Req 11.3.4 says test your segmentation
• Not just a network port scan
• Identify your specific scope boundaries and segmentation controls• Remote access methods
• Authentication and user controls
![Page 24: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/24.jpg)
What about penetration testing?• Effective segmentation testing addresses
specific cases
• Test report should identify the specific scenarios
• Probably need coordination between QSA,
tester, organization
![Page 25: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/25.jpg)
A few concluding ideas• Intended to close loopholes and protect organizations
• Aligns DSS with doing security correctly
• Clarify ambiguous and problematic situations
![Page 26: Determining Scope for PCI DSS Compliance](https://reader034.fdocuments.net/reader034/viewer/2022042610/58aea37f1a28abd43a8b5c77/html5/thumbnails/26.jpg)
THANK YOUwww.schellmanco.com