Accurate scoping is critical to the success of a PCI project. Without it, how can you be sure that everything is covered?
PCI DSS requirement 11.2 outlines the requirement for quarterly PCI vulnerability scanning of your entire external network. This should be presented to your ASV in the form of entire ranges for scanning and not just individual IP addresses. Your ASV should challenge the scope if individual IP addresses are provided. IP addresses should not to be excluded from the scan list based on the assumption that they are not in use.
Any IP that stores, processes or transmits data is automatically in scope, as are IP addresses that are connected to that IP address. If it is possible to access the ‘in-scope’ IP address from another address then that address is also in scope.
So, with that in mind, what can you do? This is where de-scoping has become such a hot topic within the PCI DSS sphere. It can be your ‘get out of jail free’ card. Accurate scoping is critical to the success of a PCI project. Without it, how can you be sure that everything is covered? Without it, how can you be sure that the costs incurred by your business are really necessary?
Reviewing your scope on an annual basis should help reduce the cost of PCI compliance, providing that the scope was not underestimated to begin with. Organisations can go from paying out tens of thousands of pounds for their entire network to be scanned, to just hundreds of pounds, not to mention the unnecessary overhead of continuing to monitor False Positives and Compensating Controls. Conversely, if your scope is too restrictive, are you jeopardising your compliance status?
QSAs can work with your organisation to establish and reduce the scope of both your internal and, by extension, your external PCI applicable environment. Employing either physical or logical segmentation can dramatically reduce the scope of PCI DSS.
The responsibility for the accuracy of the scope is not entirely down to you as a business; ASVs should verify your scope. They should perform high-level checks to assess your scope and any IP addresses identified can then be reviewed by your organisation. As a minimum, their checks should include a review of:
Your ASV will require a list of all external IP addresses. Whilst the scope for the Cardholder Data may be smaller, all IP addresses should be noted to ensure they have the visibility of the entire potential scope (a requirement from PCI SSC). Essentially, the PCI ASV scan should cover the entire external infrastructure UNLESS physical or logical segmentation has been employed on the network.
While the underlying aim of the PCI DSS programme is to obtain compliance, the challenge is to implement it effectively whilst minimising cost and impact on the business. There are a number of exercises that your business can undertake to ensure the accuracy of your scoping.
QSAs and IT Security organisations can work with you to analyse your internal business processes: this includes conducting interviews with representatives of all key areas in order to map out and document the acceptance channel process flows. This will then help to identify inter-dependencies between business departments and applications. Don’t just focus on direct payment acceptance channels. There will be associated channels such as the Finance Department, which will probably be involved in chargeback processing. Once the business processes have been fully plotted, map them to IT and existing network diagrams. Identify the underlying technologies, the communication links between systems and physical locations. Identify remote connection technologies. Is any encryption used? Identify any third parties that may be providing IT support.
Identify any supporting infrastructure – including firewalls, both externally facing and internal. Identify the underlying switching infrastructure that supports the communications flow. Don’t forget authorisation and authentication mechanisms, such as Radius or Active Directory. Are there any devices that perform a logging and monitoring function? What do they log, where do they log to, and who reviews the data?
Foot-printing exercises can also be used to determine your business’s level of exposure externally. Always bear in mind that scoping must include all payment card acceptance channels and all components within those channels that process, store or transmit payment card data.
In addition, there are many ‘grey’ areas within the PCI DSS. Every business is different and sometimes determining the applicability of a piece of technology, or deciding whether something should be in scope or not, can be difficult. Again, there is likely to be someone within your company who has dealt with a similar issue in the past.
Once you have set your PCI scope, consider the IP addresses that have been removed from the quarterly scan. Just because they are no longer under the remit of PCI DSS does not mean that they are no longer of importance to the business. Other considerations, such as the Data Protection Act or business sensitive information, may mean that the impact of a compromise would be just as disastrous to the business as card holder data leakage.
Maintaining a vulnerability management program on those IP addresses no longer in-scope forPCI allows the business to monitor both patching and configuration changes and ensures that the risks are known and assessed.
Once the scoping is complete, you will need to ensure that the scan runs smoothly and this means verifying with your ASV that IPS and Load Balancers will not impact the validity of the results. Depending on the network, it may be necessary to add the scanner IPs to the list of trusted IPs, so that the service can send probes to the IP addresses in your account during scan processing. PCI SSC requires all ASVs to make sure that the way in which the customer environment is set up does not affect the PCI scan, ensuring that the results are consistent and valid. To this end they also need to confirm that if load balancers are in use that the build behind each load balancer is identical, this ensures that the scans are representative of each environment. If the servers located behind the load balancer are not configured the same, the company must conduct an internal scan of each of the components located behind the load balancers.
The document PCI DSS Security Scanning Procedures describes in detail the scanning procedures required for PCI compliance.