New Payment Card Industry Standards Council Guidance

The PCI Council recently released new guidance and standards concerning segmentation.[1] This is excellent guidance and Omega recommends you read the entire document, but for purposes of this blog we’d like to highlight some interesting bits from the guidance below:

1. When it comes to scoping for PCI DSS, the best practice approach is to start with the assumption that everything is in scope until verified otherwise.
2. Just because a system is not in scope for PCI DSS it doesn’t mean the entity should leave that system unprotected, as it could still pose a risk to the entity’s network and business.
3. It is therefore critical that someone who understands the technology in use evaluates the impact of these technologies in scope.
4. The existence of separate network segments alone does not automatically create PCI DSS segmentation. Segmentation is achieved via purpose-built controls that specifically create and enforce separation and to prevent compromises originating from the out-of-scope network(s) from reaching cardholder data.
5. Many compromises have occurred via systems and networks incorrectly determined to be out of scope, where the breached entity placed false reliance on segmentation, only to find out after the breach that those controls were not effectively protecting its networks.

The guidance goes on to provide example segmentation implementations with recommendations.

All of that is great guidance for a person technical enough to understand it, but not all merchants employ someone technical enough to understand it and configure it properly. The guidance explains what must be done, but it doesn’t tell you how to do it on your equipment. Therein lies the elephant in the room. Without knowing more about your specific network and hardware, the guidance can’t spell out the how. Without the how, and without someone who understands how to apply it, the guidance doesn’t get implemented. With that in mind how can a merchant achieve the items recommended in the guidance?

That is where third party service providers come in. But don’t make the mistake of thinking all IT service providers understand security controls. Even an IT service provider may not be enough.

To be sure, hire a managed security services provider, and request an attestation of compliance with Payment Card Industry Data Security Standards (PCI DSS). Here is where Omega shines. Omega not only has a current PCI DSS AOC, Omega passes two QSA security audits a year. One is the Service Provider certification and the other is for Omega’s Data Center.

• Omega specializes in securing retail merchant’s networks without slowing down your business transactions.
• Omega’s card data discovery identifies card data in your system so it can be removed if unnecessary, or encrypted if present and required.
• Omega’s internal and external vulnerability scans identify vulnerabilities lurking in your network and Omega assists with the remediation.
• Omega’s file integrity monitoring identifies unauthorized file changes.
• OmegaSecure, ensures your Window’s systems are kept current with patching and antivirus updates, as the guidance recommends.
• Omega also provides policies and procedures and procedure templates, required for Payment Card Industry compliance.

So make your life less stressful, schedule a call to learn more about Omega’s ground breaking approach by calling Peter Guidi now — 636-557-7777 x2451, or email Peter at peter.guidi@www.omegasecure.com.

[1] https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf?agreement=true&time=1481292891125