As CTO of an international fintech and an advisory board member to the Payment Card Industry Security Standards Council, I often spend my weekends and free time reading all things payments and security related - don’t judge me 😀. This past week I caught up on reading the PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures information supplement - a big part of the updated guidance for achieving PCI compliance in PCI DSS v4. It is a great document - albeit a lengthy read - and eventually CTOs, CIOs and CSOs should read it in its entirety.
To get you started I thought I would summarize it for you.
The landscape of modern payment networks
Traditional network security models relied heavily on perimeter-based controls. However, with the rise of cloud computing, microservices, and zero-trust architectures, payment networks are now very dynamic and borderless. The network perimeter is less clear than it was when everything was hosted on-premise. These advancements bring flexibility and scalability, but also introduce complexities in determining the scope of PCI DSS compliance and the ability to maintain effective network segmentation.
At its core, PCI DSS compliance ensures the protection of cardholder data by isolating the Cardholder Data Environment (CDE) from out-of-scope systems. This is something that Flywire has been focused on since our early adoption of modern network architectures. The new guidance from the PCI SSC acknowledges the challenges posed by modern architectures and provides strategies to address them.
Highlights from the PCI DSS Scoping and Segmentation Guidance
1. Modern network challenges demand robust segmentation, device-level and transaction-based security.
- Multi-cloud environments: Many organizations run multiple cloud service providers. Integrating them requires robust segmentation strategies to manage the diverse configurations, while maintaining visibility across the platforms.
- Hybrid environments: Some organizations combine on-premise and cloud systems. Organizations that run this model must be focused on consistent security controls across both domains.
- Zero-trust architectures: These models enforce least-priviledge access and granular authentication. Your focus must shift from network perimeters to device-level and transaction-based security.
2. Segmentation best practices remain the same.
- Nothing here has changed; effective segmentation reduced the scope of PCI DSS assessments. Make sure you focus your controls on the critical systems and segment your CDE.
- Tools like Software-Defined Networking (SDN) and service meshes offer advanced segmentation capabilities, such as micro-segmentation and real-time policy enforcement.
3. Verification through penetrating testing remains critical.
- Regular segmentation penetration tests are vital. These tests ensure that boundaries between in-scope and out-of-scope systems remain intact and highlight vulnerabilities that could compromise cardholder data. Flywire is extremely vigilant with its penetration testing.
- In zero-trust environments, tests must validate continuous authentication processes and the effectiveness of micro-segmentation controls.
My practical recommendations
Modern networks are getting more and more distributed and complex and thus increasing the complexity of PCI DSS and potential for a data breach. In complex situations, first principles thinking always works best for me. If asked, here is some practical guidance I would give that I use at Flywire.
- Understand your data flow: Start with a comprehensive mapping of where cardholder data is stored, processed, and transmitted. Documenting and analyzing these flows helps establish the boundaries of your CDE.
- Embrace automation and monitoring: Use tools, such as AI, for automated discovery, configuration management, and monitoring to maintain accurate scope definitions in dynamic environments. Regular updates to your inventor and diagrams are critical for compliance.
- Adopt advanced segmentation tools: SDN enables dynamic policy and application and centralizes network control. Service meshes ensure service-to-service communication with features like mutual Transport Layer Security (TLS) and traffic monitoring.
- Zero-trust is the future: Transition to zero-trust models where every user, device, and system must prove its legitimacy at every access point. PCI DSS is all about granular controls, and this is a great example of one.
- Strengthen penetration testing: Penetration tests should go beyond basic port scans. Have a red team that incorporates real-world attack scenarios in order to evaluate the efficacy of your network segmentation.
In summary, the latest PCI DSS guidance is a great blueprint for tackling the complexities of modern payment networks. By aligning segmentation practices with evolving technologies like zero-trust and cloud-native architectures, we can ensure robust security while optimizing compliance efforts.
All payments organizations should embrace these practices to establish a resilient foundation for the future of innovation in the payments ecosystem.
We are leading by example at Flywire with our amazing CISO, Barbara Cousins, who works closely with my product and engineering teams to ensure we are safeguarding every transaction to protect our clients and the payers they serve.