4.4 Scoping

Video Activity

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

PCI DSS: Payment Card Industry Data Security Standard

Course

Difficulty

Beginner

Video Transcription

00:00

Welcome to the cyber, a D mystifying PC idea says Compliance Course.

00:05

This module focuses on how to develop strategies to meet PC I compliance objectives.

00:12

His video focuses on identifying and narrowing the scope of your cardholder data environment.

00:19

The learning objective is to understand how the scope of the CD is defined and how limiting it can be essential to a successful about it.

00:29

In December of 2016 the PC I council released a document to help merchants understand what is and what it's out of scope when it comes to your CD.

00:39

One of the points that is highlighted is that the merchant has to understand is that the scope is not just about technology.

00:46

It's about your people in processes as well.

00:49

All three of these things regularly interact with cardholder data, so they all must be considered when dealing with the scope.

00:58

Everything is in scope until it has verified that controls are in place. To effectively remove the systems from the CD

01:04

prior to your yearly audit, you need to go through a scoping exercise to make sure you fully understand your environment and how data flows.

01:12

A typical scoping exercise should have the following as a minimum.

01:17

What systems are receiving cardholder data?

01:19

All payment channels need to be identified and tracked all the way to the point of removal from the CD.

01:26

What? Storing, processing and transmitting cardholder data.

01:30

I understand that this includes your people in processes.

01:34

If people are writing down cardholder data for some reason as a part of your process, you need to identify this.

01:41

Identify all the other systems that support or have the capability of connecting to the CD.

01:47

While they may not be directly processing cardholder data, they can connect to systems that do and could have an impact on the security of that data

01:56

every woman controls to minimize scope.

01:59

If there any people, processes or systems on your network that don't process or support the processing of cardholder data,

02:06

then put in place measures to prevent them from communicating with the CD in any way.

02:12

After this exercise, you can implement the PC I requirements, then monitor your environment for any changes in scope.

02:20

The system components you have to consider our systems that directly connected the CD.

02:25

This is B A direct connection to your networking components

02:29

are indirectly connected to the CD.

02:31

This is via jump server that an administrator might connect to first prior to connecting directly to the CD

02:38

or impact the configuration. Our security of the CD.

02:43

These will be support systems like a Web proxy or D n A searcher.

02:47

Systems that provide security to the CD. Be a components like traffic filters. Patch management in authentication management systems

02:55

segment CD systems from out of scope systems and networks such as firewalls configured a block, traffic from untrusted Network

03:05

and Support PC Idea Sets requirements.

03:07

These air systems like time servers and audit log storage servers.

03:15

When preparing to engage, it's JK USA for an audit on one of the questions they will ask. Is his voice over i P in scope?

03:23

Why would they ask that?

03:23

Because a lot of merchants don't realize that if they're taking payments over the phone, it's possible that cardholder data is being stored in the system's that manage your phone calls via call recording.

03:36

Do you ever receive cards via email?

03:38

Be a paper processing.

03:40

All of these payment channels need to be considered when defining the scope of your CD.

03:47

So how do you go about reducing the scope of your CD.

03:52

First, consider reducing the need for data storage.

03:54

Ask yourself the following question.

03:58

Do we really need to keep cardholder data?

04:00

Minimizing? Where car data stored helps reduce the scope.

04:04

The Nexus network segmentation

04:08

network segmentation is consisting of isolating the cardholder data environment from the rest of the organization's data is perhaps the best. Wayto limits go

04:17

At a minimum. Segregation should entail logical separation between networks. Be a router and switch A C l's or access control lis,

04:26

as well as involving the separation provided by a firewall.

04:30

The optimal solution being the physical separation between networks.

04:35

Next is a use of third party service providers.

04:39

If you can outsource data storage to a PC I compliant service provider that can securely manager payment processing and securely store your records is a strong method of reducing the scope of the assessment.

04:50

There are a lot of third party solutions available that will store and perform the necessary necessary financial operations, such as authorization clearing and settlement on your behalf.

05:05

The open PC I scooping tool kit is a framework for published by a soccer

05:11

to help simplify the scoping exercise.

05:14

It's simply breaks the system downs into three categories.

05:17

If the system is the 1st 2 categories in its in scope.

05:20

If it's in Category three, then it's out of scope.

05:25

Category one. This simply system components that process, store or transmit cardholder data or are not isolated or restricted through controlled access from other category one system components

05:38

category to our system components that have controlled access to the category one system component.

05:44

So something that connects to the C D E but in a very controlled way via network access controls.

05:49

Thes air system components that provide security service's can initiate inbound connections and have the ability to administer Category one devices

06:00

and Category three our system components that are completely isolated from all category one system components.

06:09

So in summary, we went over. Some scoping exercise is to help you limit the size of your CD,

06:15

and we discussed the PC I scoping tool kit as a tool to help you define what would be in scope in your environment.

06:23

Okay, let's go through a couple scenarios to see if we can determine what would be in scope for an assessment

06:30

and a scenario. The shared service is at the top left provide service is for both the CD and the corporate network.

06:36

Only the permitted traffic from these service's are allowed into each other's network segments.

06:42

There is no direct connection between the CD and the corporate network.

06:46

They have been firewalled off from each other.

06:49

Which segments of this diagram are in scope?

07:00

The CD is in scope, and the shared service is Aaron scope because it is directly connected to the CD.

07:10

In the scenario we introduce, a remote administrator that connects directly to the shared service is

07:15

the remote administrator, then utilizes the jump server to interact with the CD

07:21

they're remote. Administrator does not handle cardholder data itself.

07:26

Now what is in scope for an assessment?

07:34

Even though the remote admin does not process cardholder data and does not directly connect to the CD because it does administration of the CD, it's in scope as well.

07:49

In the scenario, a remote offices stood up that has its VP and connected to the corporate network.

07:56

The remote office processes cardholder data via wireless and point of sale systems.

08:01

It also leverages the shared service is in the shared service's network.

08:05

The CD E still does not pass any data to the corporate network

08:09

and shared service is only allowed through necessary traffic firewall rules.

08:15

What's in scope in this scenario