PCI DSS Control challenges

Updated: Dec 21, 2020

Suggestion to implement effective and adequate network segmentation to be able to reduce PCI-DSS scope?

  • Do not Mix & create a Mess, Simplify by classifying & segregating systems based on criticality & function.

  • Document all flows to understand the boundaries & dependencies , segregation is the key , segregate based on system handling capabilities .

  • Implement VLAN's & zonal boundaries, restrict traffic flow if required.

  • Move all Management functions if OK to the Inside (internal) network, with reference to e-Commerce restrict all flows inbound & outbound to specifics only.

  • Bi-direction flow & IP sub-net level restrictions will be a better isolation so the scope can be reduced , ensure all restrictions are based on the principles of need to have & need to know basis , just keep what’s required inside PCI zone , rest all can be moved to NON PCI zone or isolated zone .

2. Does PCI-DSS recognize other standards & certificates during the validation/assessment process?

No , this will be an independent Audit focusing on Card holder data . Baseline will be the standard & the controls have to be evaluated fully, other certificates from any other standards cannot shorten the assessment process .

3. How to protect Network Time protocol data?

Use the latest version of NTP . NTP version 3 offers authentication, while Version 4 can support with key pair concept.

4. Best way for Service providers & merchants to be PCI-DSS compliant?

Reduce Scope to the best possible, Manage risk to keep a low appetite, outsource to trusted certified vendors & third party only. If there is no need to store, don't do it . Just avoid higher risk appetite. Accept Risk if there is a need to do so, but ensure risk is very well monitored & contained.

Thank you ... More to publish

13 views0 comments

Recent Posts

See All

Introduction Wireless networks often extend an existing wired infrastructure. The wired infrastructure may be quite complex to begin with, especially if it spans several buildings in a campus setting.

DNSSEC was designed primarily to defend against the DNS vulnerabilities like cache poisoning & MITM. Lack of Stronger authentication in DNS was the main reason for attacks & the need for DNSSEC. A maj