The PCI SSC say "Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment." however this is not mandatory but does offer many organisations a means of simplifying gaining compliance with the PCI DSS.
However the standard says on scoping and segregation.
- If there is a system on a network that does not store, process, or transmit card data, but that system is able to reach machines that do store, process, or transmit cardholder data, then the system is in scope.
- If the server is unable to see or connect such that no user on the system could traverse to any systems that store, process, or transmit card data, then the system is out of scope.
This leads to a question what is in scope and what is out of scope, especially on a corporate network where domain controllers, time servers are supply services to all corporate devices including the those within the CDE scope.
As an example I will look at the use of time servers, this is as requirement 10.4 states that all critical system clocks and times should be synchronised.
We could implement this by putting a time server within the CDE that for example receives the MSF signal from the Anthorn radio station run by the National Physics Lab in the UK. However other critical systems in a organisation should also be synchronised. A time server can be placed in the untrusted corporate network outside of the CDE but will need to provide the services to the CDE whilst maintain compliance with the PCI DSS and by providing a service to the CDE it should be in scope and part of the CDE.
This can send you around in circles, however requirement 1.2 states "Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment." this allows us to configure the firewall protecting the CDE to allow services from the time server through to the CDE providing the firewall and the traffic itself is suitable protected and filtered so that only the time service from the time server is allowed through.
We also need to meet the intent of the PCI DSS "no user on the system could traverse to any systems that store, process, or transmit card data" this will mean that any server providing a service should be hardened to standards as such as those from the following organisations.
- SysAdmin Audit Network Security Network (SANS)
- National Institute of Standards Technology (NIST)
- Center for Internet Security (CIS).
We also have requirements 1.4 which prohibits direct public access and has two sub requirements.
- Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic
- Restrict outbound traffic from payment card applications to IP addresses within the DMZ.
Therefore in our example if we are using the Network Time Protocol to update time servers, the time server in the CDE can not directly connect to a public time server, but will have to use an interim time server in the DMZ which then would access a public time server on the Internet. This demonstrates some of the techniques that can be used in building and design a secure segregated network for the PCI DSS.