PCI DSS Control challenges

Suggestion to implement effective and adequate network segmentation to be able to reduce PCI-DSS scope?

• Do not Mix & create a Mess, Simplify by classifying & segregating systems based on criticality & function.

• Document all flows to understand the boundaries & dependencies , segregation is the key , segregate based on system handling capabilities .

• Implement VLAN's & zonal boundaries, restrict traffic flow if required.

• Move all Management functions if OK to the Inside (internal) network, with reference to e-Commerce restrict all flows inbound & outbound to specifics only.

• Bi-direction flow & IP sub-net level restrictions will be a better isolation so the scope can be reduced , ensure all restrictions are based on the principles of need to have & need to know basis , just keep what’s required inside PCI zone , rest all can be moved to NON PCI zone or isolated zone .

2. Does PCI-DSS recognize other standards & certificates during the validation/assessment process?

No , this will be an independent Audit focusing on Card holder data . Baseline will be the standard & the controls have to be evaluated fully, other certificates from any other standards cannot shorten the assessment process .

3. How to protect Network Time protocol data?

Use the latest version of NTP . NTP version 3 offers authentication, while Version 4 can support with key pair concept.

4. Best way for Service providers & merchants to be PCI-DSS compliant?

Reduce Scope to the best possible, Manage risk to keep a low appetite, outsource to trusted certified vendors & third party only. If there is no need to store, don't do it . Just avoid higher risk appetite. Accept Risk if there is a need to do so, but ensure risk is very well monitored & contained.

Thank you ... More to publish