Estimated reading time: 2 mins
Do you want to become PCI DSS (Payment Card Industry Data Security Standard) compliant? If so, you must understand network segmentation. Segmentation is when you create data controls that meet data security requirements. Below are some key ideas related to network segmentation:
The Cardholder Data Environment (CDE)
The Cardholder Data Environment contains a person’s private information. This data comes from their credit or debit card. If you have access to the CDE, you can see information like account numbers and expiration dates.
You need to protect the CDE. If hackers have access to it, they can put false charges on customers’ credit and debit cards. You can find cardholder data environments in many places. If a computer or system works with credit and debit cards, it is a CDE. Here are some examples of CDEs:
- Networking devices
- Computers
- Servers
How PCI DSS and Network Segmentation Work Together
To protect the cardholder data environment, you must protect the cardholder data. Cardholder data could enter a device in many ways. USB drives, Bluetooth devices, and virtual machines are just a few. Because there are a lot of ways data could enter a system, there are a lot of ways that hackers could access it. You need to protect all ‘entry points’
How Companies Scope Systems
If you want to scope the PCI DSS, you must look at the different ways data could enter your systems. Write down where you get cardholder data from. Then, think of all the ways someone could access it.
Next, you must figure out where you work with data. To identify these places, you’ll need to know:
- Who handles the cardholder data?
- What they do with the cardholder data?
- What software and tools work with the data?
At this point, you will have identified the people and places that work with the CDE. Now you will have to create controls and limits that protect your information. You can do this by encrypting the data. You should also use data security techniques.
It is your responsibility to make sure that hackers cannot access customer information. Anytime you change something in the CDE, you will need to upgrade your security measures.
Transferring Risks to Third-Party Service Providers
Third party service providers help your business. They may also work with your cardholder data environment. Unfortunately, this also means that they can put your security at risk.
If you work with any third parties, ask them to prove that they are compliant. You may ask them to show proof that they have completed a security assessment. Choose service providers with care, and always put your customers’ security first.
