New PCI Guidance on Simplifying Network SegmentationTroy Leach of PCI Security Standards Council Discusses Steps to Protect Card Data
The PCI Security Standards Council has released new guidance that's designed to help organizations simplify network segmentation, a practice the council strongly recommends to help protect payment card data.
"This guidance we've had in some shape or form for many years, but [the new release] makes it easier to understand," Troy Leach, CTO of the PCI Council, says in an in-depth interview with Information Security Media Group.
Network segmentation reduces exposure of cardholder data by confining the information to systems and servers that are isolated from other parts of the network. The new guidance, Leach explains, aims to help organizations understand how they can put controls in place to limit connectivity among servers.
"What we tried to do is provide practical guidance that helps shape the assessment before it begins so that you can create good, practical, manageable environments for network security around cardholder data without having to break the bank when trying to secure all systems equally," he says.
The new guidance, Leach explains, also points out:
- Only systems that contain or are connected to systems that contain sensitive cardholder information need to comply with the PCI Data Security Standard.
- By storing less data, organizations can minimize their PCI DSS compliance costs.
- By re-engineering a network, organizations can reduce the number of systems that must be PCI DSS compliant, thus reducing the number of controls that have to be implemented.
Other Compliance-Related Issues
During this interview (see audio link below photo), Leach also discusses:
- The challenges virtualized networks pose for proper network segmentation;
- The critical roles assessors and acquiring banks play in ensuring PCI-DSS compliance; and
- How network segmentation, if done incorrectly, can actually put cardholder data at greater risk.
In his role at the PCI Council, Leach partners with council representatives, PCI participating organizations and industry leaders to develop comprehensive standards and strategies to secure payment card data and the supporting infrastructure. He is a congressional subject-matter expert on payment security and is the current chairman of the council's standards committee.