The PCI Security Standards Council has released new guidance that is designed to help organizations simplify network segmentation, a practice the council strongly recommends to help protect payment card data.
"This guidance we've had in some shape or form for many years, but [the new release] makes it easier to understand," Troy Leach, CTO of the PCI Council, says in an in-depth interview with Information Security Media Group.
Network segmentation reduces exposure of cardholder data by confining the information to systems and servers that are isolated from other parts of the network. The new guidance, Leach explains, aims to help organizations understand how they can put controls in place to limit connectivity among servers.
"What we tried to do is provide practical guidance that helps shape the assessment before it begins so that you can create good, practical, manageable environments for network security around cardholder data without having to break the bank when trying to secure all systems equally," he says.
The new guidance, Leach explains, also points out:
Only systems that contain or are connected to systems that contain sensitive cardholder information need to comply with the PCI Data Security Standard.
By storing less data, organizations can minimize their PCI DSS compliance costs.
By re-engineering a network, organizations can reduce the number of systems that must be PCI DSS compliant, thus reducing the number of controls that have to be implemented.