Adaptive Segmentationmicro-segmentation April 6, 2020

PCI Security in a Remote Work World

Vivian Tero, Sr. Product Marketing Manager

Until recently, most of us reserved work from home (WFH) for days when we felt under the weather or too bogged down with projects to endure commutes. But, almost overnight, WFH has become the “new normal” and businesses are racing to get their employees up and running with minimal downtime.  

If your organization has PCI obligations, regardless of any delays in your compliance assessments, you are still obligated and required to maintain your PCI security posture. As you transition to a full remote work model, you must maintain your vigilance and stay ahead of potential attack vectors. Gaps in coverage and protection won’t be tolerated any more than they were before we all became WFH employees.

In its March 26 blog, the PCI Security Standards Council offered a set of recommendations to help secure payments while working remotely, enabling organizations to maintain their PCI security posture. To reiterate the PCI Security Standards Council’s (PCI SSC) advice, “it’s about people, process, and technology.”

As you update your data center and network to support an all-remote work model, it is important to evaluate if these changes will create new critical security gaps that require you to implement appropriate mitigation protocols.

The PCI SSC recommends these security protocols to protect users and data in remote work situations:

  • Using strong passwords in combination with multi-factor authentication (MFA) for remote access
  • Maintaining basic security hygiene, such as keeping patches up-to-date, enabling secure configuration, content security, and activating the firewall functionality
  • Enabling secure communications via VPN and encryption
  • Implementing access controls or least privilege so that access to the cardholder data environment (CDE) is limited to individuals with legitimate reasons to access
  • Updating threat detection and incident response capabilities to support the remote worker use case

These PCI SSC recommendations are based on the PCI SSC Information Supplement “Protecting Telephone-based Payment Card Data."

As shown in figure 1 below, your payment architecture is just one critical subset of your PCI environment. Your payment systems may be in the same subnet or have legitimate connections to other applications in your data center like customer support, customer loyalty, and inventory.

As merchants and service providers transition to an all-remote work model, a critical consideration should be how this seismic shift in corporate life will affect PCI scope and security segmentation controls.A simple illustration of an organization’s data center and payment architecture, alongside its ecosystem of PCI partners.

Figure 1: A simple illustration of an organization’s data center and payment architecture, alongside its ecosystem of PCI partners.

Here are the top ten (bonus: eleven, but who’s counting?) critical questions that all merchants and service providers should be asking right now:

  1. Does the remote model result in significant changes to your PCI environment?
  2. How do the data flows and network diagrams look under these conditions?
  3. Does the remote work model significantly alter the components of CDE, connected-to, and security-impacting system components?
  4. How do these changes affect requirements to control legitimate traffic to and from the CDE?
  5. Do you anticipate an increase in the volume of legitimate external connections to your data center and specifically the CDE?
  6. How many of the legitimate external connections need to connect to your PCI-connected systems and CDE?
  7. Does your organization already have a flat network? How can you accelerate your ability to reduce your attack surface given your new budget constraints?
  8. Beyond access control measures and MFA, what are your plans for ensuring that you can identify and verify the legitimate connections to the CDE?
  9. If you increasingly rely on remote or online support for your Point-of-Sale (POS) and ecommerce applications, what additional controls (beyond MFA) are you using to ensure that only legitimate traffic is allowed to your POS?
  10. Do you have a significant number of contractors who are suddenly going to access to data center remotely? How do you ensure that you are limiting their access to only the systems that they need to complete their projects?
  11. How do you ensure that bad actors will not use a compromised contractor’s machine as a vector to target your CDE?

If you are considering the implementation of desktop-as-a-service (also known as Virtual Desktop Infrastructure or VDI) to quickly enable your staff to work remotely, you also need to assess how you would implement controls so that employees are only able to view and access the applications that they need to do their jobs.

If you and your organization are struggling to scale and protect yourselves in this time of flux, Illumio can help you assess, plan, and secure your transition to a remote model while enhancing your organization’s PCI security segmentation posture. 

Based on our conversations with current customers that have PCI requirements, here are a few ways that Illumio can help you meet the challenge to keep your PCI program secure in this time of change and uncertainty:

  • Our application dependency map will show how connections will change (or have changed), and also help you identify and manage the legitimate external connections.
  • We enable you to define a whitelist list of trusted IP addresses and IP address ranges that you would allow to connect into your data center and specify which applications they can connect to.
  • As you rely more on telephony-based payments, Illumio offers real-time reports and also visually shows the connections for systems not directly involved in the payment process, but are in the same subnet as the CDE or have legitimate connections to the CDE. You will want to tightly control connections and remote access to these PCI connected-to systems. Illumio will help you verify that there are no unauthorized connections between these systems and your payment applications. You can also activate a rule to limit authorized connections to specific roles, ports, and processes.  Examples of such systems include shared servers, HR, corporate intranets, and VoIP phones.
  • If your existing network was already flat before the remote work transition, addressing this gap is even more critical now as the increase in remote connections poses more potential attack vectors. Illumio can help you accelerate your efforts to solve your flat network problem – at a lower cost. By leveraging the native stateful firewalls of the host, you can avoid the cost and risk associated with buying more firewalls and re-architecting your network.
  • If you are scaling up your existing VDI infrastructure to support your remote workers, our Adaptive User Segmentation capability will ensure that remote users can only see and connect to applications that are allowed based on their Microsoft Active Directory group memberships.

Looking for more information?

We partnered with Protiviti, one of the world’s leading Payment Card Industry Qualified Security Assessors (PCI QSA), to observe how our Adaptive Security Platform can assist organizations in meeting their PCI DSS requirements. The report illustrates Illumio’s abilities to support, potentially meet, or be enabled as a compensating control for 8 of the 12 PCI DSS 3.2.1 requirements.

The outcome of this collaboration includes the white paper, The Illumio Adaptive Security Platform – Supporting PCI DSS Requirements. This document maps Illumio’s abilities to support, potentially meet, or be enabled as a compensating control for 8 of the 12 PCI DSS 3.2.1 requirements.

We also recommend that you check out the Illumio ASP Design Guide to find out how you can plan and adapt your PCI controls to support your new remote work model.

To learn more about Illumio solutions for PCI compliance, check out this page.

Interested in trying Illumio ASP yourself? Sign up for a 30-day free trial.

Adaptive Segmentationmicro-segmentation
Share this post: