Member-only story
Network Segmentation and PCI DSS Compliance
Segmenting is good security
It was in the early days of PCI when we wrote Lightening the PCI Load: Solutions to Reduce PCI Scope. PCI compliance scoping was then, and still is, an intensively debated topic, even among PCI Qualified Security Assessors (QSA).
The spirit and intent of that article and our follow-up piece in End-to-End Encryption: The PCI Security Holy Grail provided some clarity and an approach to help organizations reduce PCI DSS compliance scope to the absolute minimum. The articles offered a soothsayer’s glimpse into what the future might hold for PCI compliance and scoping.
Much has changed since then: the ubiquitous adoption of virtualized systems; the introduction of streamlined and stripped down e-commerce solutions, including those that are shared hosted; the implementation of encrypt-at-the-swipe payment card solutions; EMV-compatible processing and more.
As technology, processes, and people have marched forward, the promise of measurable PCI scope reduction appears to have been offset by questions and concerns concerning the scoping of new technology implementations. Just as was the case when PCI DSS version 1 was released, many are still struggling to come to grips with PCI compliance scoping, even with PCI DSS version 3.2.1.
