Within PCI DSS, the definition of scope is a fundamental requirement when establishing the information systems that will be affected by compliance with PCI DSS requirements.
On the other hand, network segmentation is a very useful step to reduce this scope and thus greatly reduce the implementation of security requirements and significantly reduce the cost of implementing them. Now segmentation is not a trivial issue considering that most networks that predominate among those affected by compliance with this standard have been created under business needs and not for PCI DSS compliance, and consequently doing a segmentation of networks means doing a reengineering of computer processes that is not at all simple.
Within this area of the definition of the scope and segmentation of networks, there are many issues that arise and here I want to expose two of them:
First: Imagine a system within a business process affected by PCI DSS (there are PANs involved) that in its functionalities is only called to validate certain transactions of the process where card data does not intervene (this system does not transmit, process or store card data) but without whose existence the transaction could not be undertaken. They do not pass card data, but if that system is attacked or its availability falls, the entire card business process could fall. If this system is on a network segment apart from the systems that store process, transmit card data, would it be outside the scope of PCI DSS compliance? Second: looking at the scope of PCI DSS, there are some systems such as. The DNS through which card data does not pass, transmit or is stored but which is involved in compliance with PCI DSS requirements for systems that are affected by card data. Reviewing PCI DSS 2.0 says the following "Scope of Assessment for Compliance with PCI DSS Requirements. The PCI DSS security requirements apply to all system components. In the context of PCI DSS, "system components" are defined as any network component, server, or application that is included in or connected to the cardholder data environment. "System components" also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS)."
As you can see other systems that could be involved are authentication systems (DNS), NTP servers ... etc. When defining the scope of PCI DSS on which a PCI DSS audit is to be done, these systems are not seen within the "channels" through which card data is transmitted, processed or stored, however, if it is necessary to take them into account in terms of their functionality and in order to meet the requirements of PCI DSS e.g. DNS to see authentication (R. 8 and 9), back up servers to look back up (R.9), CPD 2 to see if there is a DRP (R.12), NTP servers and log servers (R.10)... but the question is: should these systems be identified as such within the scope of the report? Does putting them within range mean that these servers must meet all pci DSS requirements such as being properly bastioned? And the hardest ... the network segments where these servers are should be scanned and performed intrusion tests?
My opinion is as follows:
I understand that systems that do not transmit, process or store card data, as I propose in the case first should not be within the scope of PCI DSS.
On the other hand, in the second case these systems would not be within the card data channels but within the scope of PCI DSS only as soon as they are affected as auxiliary systems for compliance with certain PCI DSS requirements and not as if they were components of systems as defined by PCIDSS.
For example, a monitoring system should not meet all the requirements of PCI DSS but it should guarantee in its definition the requirements of PCI DSS requirement 10: be located in an internal network segment, correctly configured the time through NTP, guarantee integrity and availability of logs,...
Raul Rodriguez Celaya
Consulting Department
Source: S21Sec
