The Payment Card Industry (PCI) Data Security Standard requires that merchants and service providers who store, process or transmit credit and/or debit card data comply with a set of 12 requirements designed to safeguard this highly sensitive information. Most security professionals agree that these requirements -- often referred to colloquially as the "dirty dozen" -- represent current information security best practices, and offer a reasonable set of controls for dealing with extremely sensitive data.

While they may be appropriate for protecting credit card information, the PCI Data Security Standard requirements are probably too rigorous and costly to be applicable to the bulk of the data your enterprise handles on a daily basis. For example, consider the case of a large college or university network that grants broad public access to large portions of the network. In all likelihood, only a miniscule fraction of the thousands of systems on the network may be involved in card-processing activities, hence it would simply be impractical to implement all 12 PCI Data Security Standard requirements across the entire network.

Early versions of the standard seemed to require exactly that -- the broad implementation of these controls throughout the enterprise. With the release of PCI DSS version 1.1, the PCI Security Standards Council issued a clarification on this matter:

"The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment."

These two sentences came as a great relief for organizations that handle payment card information as a small part of their business. At the same time, it raises more questions for those seeking to implement an isolation strategy. What constitutes "adequate network segmentation?"

A number of merchants are choosing to comply with the PCI Data Security Standard through a network isolation strategy. Their goal is to implement a completely isolated "network within a network" that houses all systems involved in payment card processing. The only connection to the enterprise network is on the outside interface of a firewall, as shown in the illustration above.

This link is as rigidly protected as one would protect the organization's connection to the Internet. Therefore, the card-processing network treats the rest of the enterprise network as nothing more than an ISP. Any transmission of cardholder data or administrative control that crosses the enterprise network must be encrypted, just as it would be across the Internet.

The challenge with a conservative approach such as this lies in providing routine services such as DNS/directory services, time synchronization, intrusion detection, backup and file integrity monitoring to systems within the cardholder data environment. The "ISP model" requires that dedicated systems provide these services to the environment, while still complying with the "one primary function per server" rule stated in section 2.2.1 of PCI DSS. These costs can mount quickly though, considering all of the ancillary services necessary to support a stand-alone network.

Source