What is PCI DSS?

The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard developed to enhance cardholder data security for organizations that store, process or transmit credit card data. Its primary purpose is to reduce vulnerability of cardholder information and prevent credit card fraud by increasing controls where cardholder data is stored, processed, or transmitted. Organizations that maintain a cardholder environment data include retailers, retail branches on any business in any industry, online payment services, banks that issue credit cards, and service providers that offer online cloud services for payment processing.

Compliance to the PCI DSS is achieved by meeting a minimum set of requirements. In PCI DSS 3.0, there is about 300 requirements grouped in 12 categories as represented in the following table:

PCI DSS compliance is mandatory to all organizations that participate in the storage, processing, or transmission of cardholder data. To attain compliance, organizations must pass an assessment that audits all parts of the network that interact with cardholder environment. In some areas, the PCI Security Standards Council (SSC) is very prescriptive in the type of technologies and products that need to be deployed, and how these need to the deployed. In other areas, there is no specific prescribed approach or structure for the implementation of a compliant system.

Network Segmentation

Among the methods for developing and implementing PCI compliant information security, network segmentation has emerged as a best practice for its significant impact in reducing cost and complexity of PCI compliance. Network segmentation isolates cardholder data to specific servers or areas of the network, narrowing the scope of the network subject to PCI DSS compliance. The resulting benefits are dramatic reduction in:

• PCI DSS assessment costs
• Costs of compliance implementation and maintenance
• Effort required to develop and apply security policies
• Risk to the organization, as a result of minimized exposure of cardholder data and ease of controlling the segment
• Forensic costs in the event that a security incident occurs, due to simplicity of locating and investigating traffic

The reduced cost and complexity of network segmentation results in a highly secured network at a fraction of the potential cost. Without network segmentation, the entire network is within scope of the PCI audit and at risk. The following diagram juxtaposes the non-segmented and segmented network:

On the left is a flat network, in which the entire network is subject to PCI audit. On the right, cardholder data is isolated in a security zone with authorized users being the only group who can access the data. Palo Alto Networks enterprise security platform enables organizations to create security zones that contain all relevant information and traffic, and give administrators the ability to control, at a very granular level, the security policies that apply to applications, users, and content. Only authorized traffic is explicitly allowed to traverse each security zone.