Suggestion to implement effective and adequate network segmentation to be able to reduce PCI-DSS scope?
Do not Mix & create a Mess, Simplify by classifying & segregating systems based on criticality & function.
Document all flows to understand the boundaries & dependencies , segregation is the key , segregate based on system handling capabilities .
Implement VLAN's & zonal boundaries, restrict traffic flow if required.
Move all Management functions if OK to the Inside (internal) network, with reference to e-Commerce restrict all flows inbound & outbound to specifics only.
Bi-direction flow & IP sub-net level restrictions will be a better isolation so the scope can be reduced , ensure all restrictions are based on the principles of need to have & need to know basis , just keep what’s required inside PCI zone , rest all can be moved to NON PCI zone or isolated zone .
2. Does PCI-DSS recognize other standards & certificates during the validation/assessment process?
No , this will be an independent Audit focusing on Card holder data . Baseline will be the standard & the controls have to be evaluated fully, other certificates from any other standards cannot shorten the assessment process .
3. How to protect Network Time protocol data?
Use the latest version of NTP . NTP version 3 offers authentication, while Version 4 can support with key pair concept.
4. Best way for Service providers & merchants to be PCI-DSS compliant?
Reduce Scope to the best possible, Manage risk to keep a low appetite, outsource to trusted certified vendors & third party only. If there is no need to store, don't do it . Just avoid higher risk appetite. Accept Risk if there is a need to do so, but ensure risk is very well monitored & contained.
Thank you ... More to publish