PCI DSS Compliance: A Closer Look At Requirements 1.1.2 .

8m ago
564.79 KB
7 Pages

PCI DSS compliance:A closer look at Requirements 1.1.2 and 1.1.3– Cardholder Data Environment DiagramsJanuary 2018What is a Cardholder Data Environment?At its simplest, an organisation’s Cardholder Data Environment (CDE) is the physical and technical environment whereAccount Data is being accepted, captured, handled, processed, stored and/ or transmitted. Anywhere that people,processes, and technologies store, process, or transmit Account Data will be in scope for the Payment Card Industry DataSecurity Standard (PCI DSS) and considered part of the CDE.As most card data breaches involve a compromise of the CDE, PCI DSS requirements require a wide variety of securitycontrols to be maintained to help protect this data on its entry into, when it is within and on its exit or removal from theCDE.The CDE consists of: All system components that store, process, or transmit Account Data; Systems components that do not in themselves store, process, or transmit Account Data but are ‘adjacent to’(e.g. on the same network as) a system components that do.However, the PCI DSS applies to more than just the system components within the CDE; also in scope are ‘connected-toor security-impacting’ systems components that: Connect or have access to the CDE either directly or indirectly, e.g. via a jump server; Can impact the configuration or security of the CDE, e.g. server providing name resolution (DNS) for the CDE; Provide security services to the CDE, e.g. identification & authentication server, such as Active Directory; Support PCI DSS requirements, e.g. audit log server; Provide segmentation of the CDE from out-of-scope systems, e.g. internal firewalls.For additional guidance on determining whether systems are in scope or out of scope, please see the articles referencedbelow.System components can be network devices, servers, computing and mobile devices, and applications. That may includebut is not limited to; Virtualisation components such as virtual machines, virtual switches/routers, virtual appliances, virtualapplications/desktops, and hypervisors Network components including but not limited to firewalls, switches, routers, wireless access points, networkappliances, and other security appliances Server types such as web, application, database, mail, proxy, etc. Applications including all purchased and custom applications, including internal and external (for example,Internet) applications Third party devices, systems, networks or people, such as remote access, VPNs, IT support.Copyright Sysnet Global SolutionsSysnetgs.com1

A closer look at Requirements 1.1.2 and 1.1.3 – Cardholder Data EnvironmentDiagramsWhat is Account Data?Account data, also often referred to as Payment Card Data, is comprised of Cardholder Data (CHD) and SensitiveAuthentication Data (SAD):From PCI DSS v3.2 page 7CHD and SAD must be protected as per the PCI SSC guidelines:From PCI DSS v3.2 page 8Why do I need a Cardholder Data Environmentdiagram(s)?The creation of network and data flow diagram(s) that define the CDE (Cardholder Data Environment diagrams) is one ofthe most important first steps for any organisation trying to determine Account Data use across their people, locations,functions, processes and systems and hence to define their PCI DSS assessment scope. The CDE diagram(s) should beused as one of the organisation’s central reference sources when addressing with PCI DSS compliance and protectingAccount Data.Network and data flow diagram(s) are required by the PCI DSS:Copyright Sysnet Global SolutionsSysnetgs.com2

A closer look at Requirements 1.1.2 and 1.1.3 – Cardholder Data EnvironmentDiagramsPCI DSS RequirementGuidance1.1.2: Current network diagram that identifies all connectionsbetween the cardholder data environment and other networks,including any wireless networksNetwork diagrams describe how networks are configured,and identify the location of all network devices.1.1.3: Current diagram that shows all cardholder data flowsacross systems and networksCardholder data-flow diagrams identify the location of allcardholder data that is stored, processed, or transmittedwithin the network.Organisations required to formally assess their compliance must have network and data flow diagram(s). For selfassessing entities, a network diagram is mandatory for the PCI DSS SAQ A-EP, SAQ B-IP & SAQ D questionnaires, while theSAQ A-EP and D also requires a card data flow diagram. For the remaining questionnaires, these diagrams are notmandatory but it is good practice to create one or more diagram to illustrate the CDE, the network(s) and systems thatare part of or connect to the CDE and the journey of CHD and SAD across systems and network(s), as it is captured,transmitted, processed and potentially stored. Without the diagrams, Account Data may be overlooked, unprotected,exposed to fraud, or stored in breach of PCI DSS.By understanding where Account Data is captured, transmitted, processed and / or stored, it can; Help an organisation understand and define its CDE.Define the PCI DSS assessment scope.If applicable, identify the relevant PCI DSS SAQ questionnaire/s.Help determine which PCI DSS requirements are applicable to the organisation.Highlight potential security weaknesses in networks/systems/processes.Highlight potential opportunities for reducing the scope of the PCI DSS assessmentHow to create a Cardholder Data Environment DiagramTo identify where Account Data storage, processing, or transmission is within your organisation, it is necessary tounderstand all payment method/channels. This is a generally a collaborative effort between departments, potentially alsoinvolving third party service providers, and can be broken down by the three payment channels – Ecommerce, Face-toface, and MOTO (Mail Order/Telephone Order).To develop a CDE diagram you will need; Up-to date IT network documentationWithout a current network diagram, systems could be overlooked, and unknowingly left out of the securitycontrols implemented for PCI DSS, or network connections could be left poorly protected that could leave theCDE vulnerable to attack or compromise by malicious individuals. Knowledge of all Account Data handling and payment processes within the organisationGather information on all aspects of account data receipt, capture, processing, retention/storage, archiving anddestruction. This must include not only card payment processes but also account data handling processes suchas bookings (where card data is captured but no payment taken), chargebacks, refunds, etc.You will need to identify all of the people (including third parties), processes and technologies involved in thehandling/transmission/processing of account data (in both hard copy or electronic form) across all teams,functions and services involved in each payment method/channel. This is often the most difficult part toinvestigate due to the many different forms, and historic ways of taking account data throughout anorganisation.The first step to creating a CDE diagram is to document what is and isn’t included in the CDE.Copyright Sysnet Global SolutionsSysnetgs.com3

A closer look at Requirements 1.1.2 and 1.1.3 – Cardholder Data EnvironmentDiagramsFollow the movement of the account data from its entry point(s), through the organisation until it permanently leaves theorganisation or is destroyed. This will identify all the components that are involved in the processing, storage, andtransmission of the cardholder data.For merchant organisations, mapping the list of Merchant Accounts or Merchant ID’s (MIDs) to each payment channelcan help to identify payment processes and card data flows. Note that not all MIDs may be used to process paymentsdirectly by the organisation. Some MIDs may be used by third parties to process payments on the merchantorganisation’s behalf. The merchant retains responsibility for the protection of account data and fulfilment of theapplicable PCI DSS requirements by third party service providers and must therefore include those activities whendefining assessment scope and creating CDE diagram(s).Steps to creating a Cardholder Data EnvironmentDiagram1.Create or use an existing network diagram showing all locations, networks, and connectivity (internal and external).A hand drawn diagram is the best place to start, and can be made professional using a design package. Due torequirement 1.1.2(b) requiring the diagram to be updated when changes occur, a design package makes it easier tomake revisions and create a version history.There are many different design packages that can be used to draw the diagram, some free, some expensive, allwith different functionality.Here are a selection; Microsoft Visio Gliffy Draw.io LucidChart yEdAn example of a basic network diagram;Copyright Sysnet Global SolutionsSysnetgs.com4

A closer look at Requirements 1.1.2 and 1.1.3 – Cardholder Data EnvironmentDiagrams2.Create a copy of the network diagram for each payment channel that is used – Ecommerce, Face-to-face, andMOTO. A single diagram can work for smaller configurations but may become confusing with multi-channelenvironments.3.Add payment systems that store, process, or transmit CHD (per the guidance in ‘What is a Cardholder DataEnvironment’) for each payment channel to the diagrams.Examples would be; Websites hosted internally or by a 3rd party service provider Applications/databases Payment terminals (PSTN, network (IP), or mobile (GPRS) Virtual terminals POS systems (PC’s, servers, equipment) Telephone call recording systems VOIP telephone systems Post/email Merchant receipts/paper Fax/e-fax Backup systems/sites/devices/media Archived cardholder data/systems 3rd party devices/systems/support4.Use arrows and numbers to show the cardholder data flow movement between people, devices, people, andentities as shown in the simplified examples below. In addition, use colour coding and keys to assist in showingwhere CHD is; Stored Processed Transmitted Encrypted UnprotectedCopyright Sysnet Global SolutionsSysnetgs.com5

A closer look at Requirements 1.1.2 and 1.1.3 – Cardholder Data EnvironmentDiagramsPayment channel CDE diagram examplesCopyright Sysnet Global SolutionsSysnetgs.com6

A closer look at Requirements 1.1.2 and 1.1.3 – Cardholder Data EnvironmentDiagramsReferences PCI DSS v3.2 PCI SSC Guidance for PCI DSS Scoping and Segmentation Sysnet New PCI SSC Scoping & Segmentation Guidance: What does it mean?Copyright Sysnet Global SolutionsSysnetgs.com7