The Payment Card Industry Data Security Standard (PCI DSS) includes a number of controls that pertain to network architecture, configuration, and operations. RedSeal’s unique ability to map your network, calculate potential access, and prioritize risk is well suited to meeting many network PCI DSS requirements, especially those related to firewalling, network segmentation, and penetration testing.
RedSeal also helps organizations meet the new “Business as Usual” best practices in PCI DSS 3.0. The BAU guidelines were added in 3.0 to emphasize the need to implement security controls as ongoing processes, rather than focusing on “just in time” compliance when the annual audit rolls around. RedSeal analyzes network infrastructure and risk on a nightly basis. This allows an organization to implement continuous monitoring of their segmentation and firewall configuration and effectiveness, with minimal operational overhead.
RedSeal helps your network meet PCI DSS compliance requirements.
Re-testing of segmentation following changes; prioritization and remediation of exploitable vulnerabilities.
Validation of segmentation boundary; includes support for “Category 1/2/3” best practice segmentation strategy rapidly gaining traction with QSAs (Qualified Security Assessors). For more detail on RedSeal mapping to PCI 3.1 controls:
PCI DSS Compliance Requirement 11.3.4—Penetration Testing and CDE Segmentation
A great example of how PCI DSS 3.0 significantly changes control activity implementation is the new requirement for penetration testing of the CDE segmentation boundary (11.3.4).
This requirement states that penetration testing must be done “…after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.” In practice, this could be interpreted to mean that pen testing needs to be done after any firewall rule or ACL change on any device that segments the CDE—a massive undertaking. However, RedSeal can continually test the segmentation boundary and identify those portions of the boundary that actually changed, allowing pen testing to be focused on just those elements. This drastically reduces the cost and effort required to meet this stringent new requirement. For more information, download our white paper: CDE Segmentation Validation.