PCI DSS Security Standards have for long been a hot topic of discussion in the industry. It may seem quite confusing and intimidating, as many organizations fail to understand its requirements and area of application.

1. © VISTA InfoSec ®
PCI DSS Security Standards have for long been a hot topic of discussion in the industry. It may
seem quite confusing and intimidating, as many organizations fail to understand its
requirements and area of application. Organizations are struggling to understand the
application of PCI DSS controls and identify systems that need to be secured. However, in this
document, we have put together a detailed guide that shall help you understand the ins and
outs of PCI DSS Security Standards and Compliance for your business. This document will
work as a guide for organizations to identify systems that need to be included “in-scope” for
PCI DSS. Further, the document helps understand how segmentation can help reduce the
number of systems that require PCI DSS controls.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of
Security Standards formed in the year 2004 by 5 major credit card companies also known as
card brands namely, Visa, MasterCard, Discover, JCB and, American Express. Governed by
the Payment Card Industry Security Standard Council (PCI SSC), the set policy and procedure
intend to optimize and secure credit, debit and, cash card transactions. This shall help protect
cardholders against data fraud, data theG and, misuse of personal information. However, PCI
SSC has no legal authority to compel Compliance. But if you intend to offer any processes
concerned with the 5 card brands such as issuing, acquiring, authorisation, clearing,
settlement or even as a service provider to these processes, then you need to be certified PCI
DSS. This specially applies to both merchants and service organisations. PCI Certification is
the best way to secure sensitive data/information and help businesses establish a sense of trust
with their customers.
Who needs to be a PCI DSS Compliant?
PCI DSS applies to all entities who are involved in the card payment process including
merchants, processors, issuers and, service providers. This is also applicable to all entities
who store, process or, transmit cardholder data and/or sensitive authentication data. Even
organisations providing services that impact the security of the cardholder data environment,
are required to be PCI DSS Compliant.
What is the scope of the PCI DSS Compliance?
Once you begin the journey of PCI DSS Compliance, you need to primarily identify the scope
to which it applies. However, one should bear in mind that they cannot define the scope as
per their business priorities or budgets as generally obsereved in ISO projects.
PCI DSS Scoping and
Segmentation

2. Given below are systems to which PCI DSS Security requirements may be applicable.
1. System Components
The PCI DSS security requirements apply to all system components included in or connected
to the Cardholder Data Environment (CDE). “System components” includes all network
devices, servers, computing devices, and applications. So, any system component that stores
or processes, or transmits payment card information are considered as a part of CDE. One of
the best ways to determine the CDE is to document or map the way how payment information
flows throughout the environment. This will help you determine all systems and system
components that are subject to PCI Compliance.
2.Systems within the network
Systems that fall inside the same physical or logical network are also a part of the CDE. So,
systems cannot be easily excluded on grounds that systems do not store, process or,transmit
payment card information.
3.Third-Party
PCI DSS is also applicable if you are responsible for third parties that store or process or
transmit credit card information. So, for instance, a web hosting company that hosts an e-
commerce website that stores or processes or transmits cardholder data falls “in scope”. So,
in this case, the web hosting company is obliged to be PCI DSS Compliant. In such a
scenario, it the responsibility of an E-commerce company to check whether the web hosting
company is PCI Compliant or not, once a year. In case the vendor is not PCI DSS Compliant,
and if the company still wish to continue working with them, then it is their responsibility to
ensure the vendor is compliant.
Note- Every PCI DSS SECURITY requiremenTS/control apply to people, prOCESSES, and
tECHNOLOGIES that interact with or impact the SECURITY of CHD (Card Holder Data).
The objective of PCI DSS Compliance
We have listed down 6 primary goals/objectives of being PCI Data Security Standard Compliant
and they are asfollows:
1.Build and Maintain a Secure Network
One of the main objectives of being PCI DSS Compliant is to ensure that the organization builds
and maintains a secure network that protects all confidential data.
WayS to achieve it
 Install and maintain a firewall configuration to protect cardholder data.
 Avoid using vendor-supplied default system passwords and other security parameters.

3. © VISTA InfoSec ®

4. 2. Protect Cardholder data
Protecting Cardholder data is the main focus and top priority. Ensuring Compliance limits the
possibility of cardholder data breach/ data theG.
WayS to achieve it
 Secure stored Cardholder Data
 Encrypt transmission of Cardholder Data across networks
3. Maintain a Vulnerability Management Program
Compliance with PCI DSS will ensure that the organization has in place a Vulnerability
Management Program that helps strengthen the network and protect data.
WayS to achieve it
 Keep a regular check on the system and update anti-virus soGware or programs in it.
 Develop and maintain secure systems and applications.
4.Implement Strong Access Control Measures
PCI DSS requirements will ensure organizations implement strong access control measures to
prevent unauthorized access and misuse of data.
WayS to achieve it
 Limit access to only authorized persons for accessing Cardholder Data.
 Provide a unique ID to every authorized person having access to the system.
 Restrict physical access to Cardholder Data.
5. Regularly Monitor and Test Networks
Compliance with PCI DSS will ensure regular monitoring and testing of the network.
 Conducting regular monitoring, tracking, and testing activities on all access points to network
resources and cardholder data.
6.Maintain an Information Security Policy
Organizations will develop and maintain an Information Security Policy as per the
requirements of PCI DSS Compliance.
WayS to achieve it-
 Frame a detailed policy that addresses the organization’s Information Security issues.
© VISTA InfoSec ®

5. Understanding PCI DSS Scoping & Segmentation
The PCI Security Standards Council (SCC) in the year 2016 December released a
supplemental guide for scoping and network segmentation. The purpose of this guide was to
help organizations determine systems “in scope” for PCI DSS, and understand how
segmentation can reduce the number of in-scope systems. The objective was to help
organizations protect their data from potential risks/threats, which involve targeting system
with fewer security controls and get access to sensitive cardholder data for a possible higher
security systems breach. However, for an easy understanding, we have simplified the
document detailing PCI DSS Scoping and Segmentation for our readers. So, before getting
deeper into the Compliance aspect, let us understand what PCI DSS Scoping & Segmentation
means.
What defines Scoping?
The PCI Security Standards Council (PCI SSC) defines “scope” as that part of your environment
which must meet the control objectives stated in the PCI Data Security Standard (DSS). Simply
put, three components define Scope and they areStorage, Processing, and Transmitting. So,
any system that stores processes, or transmits payment card details fall within the scope for
PCI Compliance. One of the best ways to determine systems “in scope” is by mapping out the
payment data flow throughout your environment. This will accordingly determine all the
systems that are subject to PCI DSS Compliance. To reiterate, wherever the criterion for
scoping as described above applies, that is the scope. A company cannot by itself define what
can be included for now and what can be “taken up later on”.
PCI DSS Scope Categories
PCI DSS Scope can be classified into different categories. Scoping can be defined under
three different categories which clearly state whether the system is “in scope” “connected-to-
system in scope” or “out- of-scope”.
SyStEMS CONSIDERed “In-Scope”
Systems that are directly involved, connected, or impact the security of the cardholder, falls within
the scope of PCI DSS.
 Systems storing, process, or transmitting Cardholder Data (CHD) and Sensitive
Authentication Data(SAD).
 Systems that do not store, process, or transmit Cardholder Data, but fall in the same or
adjacentnetwork.
© VISTA InfoSec ®

6. Directly or Indirectly ‘Connected-to or SECURITY-impacting’ SyStEMS ComponenTS:

 Systems that directly or indirectly connect or have access to the CDE (example a system
connected viaa jump server).
 Systems that impact the configuration or security of the CDE (for example a server
providing nameresolution (DNS) for the CDE).
 Systems that provide security services to the CDE (example identification & authentication
server likean ActiveDirectory).
 Systems that support PCI DSS requirements or provide segmentation of the CDE from out-
of-scope systems.
SyStEMS CONSIDERed “Out-of-Scope”
“Out-of-scope” is an explicit criterion which a system should meet for it to be considered out of
the PCI DSS scope. So, if and when the system falls out-of-scope, it will not require PCI DSS
controls. All of the below-given criteria should be met to fall in the category of “out-of-scope”:
 Systems that do not store, process, or transmit cardholder data (CHD) or sensitive
authentication data(SAD);
 Systems do not fall in the same network segment as systems that store, process, or
transmit CHD or SAD;
 Systems that do not have direct and indirect access to any system in the CDE;
 Systems that do not directly or indirectly impact security control of CDE;
 Systems that do not meet or fall in the criteria described as connected-to or security-
impactingsystems.
Note- If an organization fails to meet all of the above-mentioned criteria, then the system
component shall by default be considered “in-scope” for PCI DSS. The PCI Council has made
it clear that “Systems connected” are also considered in-scope, and all PCI DSS
requirements shall apply to any system connected to the CDE.
Why is Network Segmentation essential?
Understanding PCI DSS Compliance and Network segmentation are very critical because it
helps merchants and other service providers segment their information systems, and
minimize the effort necessary to meet PCI DSS requirements for securing cardholder data.
Given below are some good reasons why Network segmentation is essential for an
organization-
 Network Segmentation reduces the scope and complexity of card-processing networks and
datamanagement processes.
 It ensures the company only store sensitive cardholder data in specific locations and limit
access to only individuals who need it.
 It is an essential security practice for companies who wish to protect cardholder’s data and
also reduceits PCI DSS Compliance scope.
 Network Segmentation helps reduce costs associated with your PCI Assessment.
 Network Segmentation improves data security and limits or reduces the possibility of data
breach/data theG.
© VISTA InfoSec ®

7.  The process also makes it easier to spot anomalies within each distinct network.
 Effective Network Segmentation can also prevent “out-of-scope” systems from overlapping
withsystems in the Cardholder Data Environment.
CLOSING thought –
When it comes to scoping for PCI DSS, the best approach to it is assuming that everything is in
scope until verified. Further, determining that a system is out-of-scope does not imply that the
system is secure and needs no protection. A system that does not fall “in-scope” for PCI DSS
may still pose a threat to the CDE (as a part of domino effect) and the organization as a whole.
As an expert in the Infosec industry, I have noticed a common pattern in the data breach,
wherein an attacker always strives to first target systems deemed out-of-scope for PCI DSS.
While payment card data details are one set of confidential data that needs to be secured,
companies also have a legal responsibility to protect and secure any personal data of their client.
So, as a comprehensive measure for securing all confidential data, I strongly recommend PCI
DSS as an appropriate measure to secure not just the data of payment cardholder, but also other
sensitive and confidential data in an organization’s network/system. Implementing best
security control practice will help organizations protect their infrastructure and other system
components that are deemed to be “out-of-scope” as per PCI DSS requirements.
facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC
Do write to us your feedback, comments and queries or, if you have any requirements:
info@vistainfosec.com
You can reach us on:
USA
+1-415-513 5261
INDIA
+91 73045 57744
SINGAPORE
+65-3129-0397
© VISTA InfoSec ®