I didn’t particularly loathe HIPAA and I don’t really hate PCI but they can both be confusing and often difficult to follow because they are both open to a measure of interpretation by whomever is doing the reading. The PCI Security Standards Council just recently released a document providing additional (supplemental) guidance regarding network segmentation and scope boundaries for cardholder data environments.
Guidance for PCI DSS Scoping and Network Segmentation
The following excerpt neatly sums up the reasoning for the additional guidance;
PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.
It’s not just enough that you firewall your PCI VLAN, assuming that you have a PCI VLAN. Interestingly enough the this document doesn’t really touch on tokenization and it’s impact on the in-scope systems. In fact the the only guidance regarding tokenization from the PCI Security Standards Council is dated August 2011, PCI DSS Tokenization Guidelines.
It would have been very helpful for the PCI Security Standards Council to also highlight how tokenization can reduce the footprint of in-scope systems.