The Payment Card Industry Data Security Standard (PCI DSS) includes a number of controls that pertain to network architecture, configuration, and operations. RedSeal’s unique ability to map your network, calculate potential access, and prioritize risk is well suited for compliance with many network PCI DSS requirements, especially those related to firewalling, network segmentation, and penetration testing.
RedSeal also helps organizations meet the “Business as Usual” best practices in PCI DSS 3.2. The PCI DSS BAU guidelines were added to emphasize the need to implement security controls as ongoing processes, rather than focusing on “just in time” PCI compliance requirements when the annual audit rolls around. RedSeal analyzes network infrastructure and risk on a nightly basis. This allows an organization to implement continuous monitoring of their segmentation and network firewall configuration and effectiveness, with minimal operational overhead.
RedSeal helps your network meet PCI DSS compliance requirements by monitoring and managing all PCI DSS specific network requirements.
Re-testing of network segmentation following changes; prioritization and remediation of exploitable vulnerabilities.
PCI Compliance Network Requirements—Segmentation
Validation of segmentation boundary; includes support for “Category 1/2/3” best practice segmentation strategy rapidly gaining traction with QSAs (Qualified Security Assessors). For more detail on RedSeal mapping to PCI 3.2 controls:
PCI DSS Compliance Requirement 11.3.4—Penetration Testing and CDE Segmentation
A great example of how PCI DSS 3.0 significantly changes control activity implementation is the new requirement for penetration testing of the CDE segmentation boundary (11.3.4).
This PCI compliance network requirement states that penetration testing must be done “…after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.” In practice, this could be interpreted to mean that pen testing needs to be done after any firewall rule or ACL change on any device that segments the CDE—a massive undertaking. However, RedSeal can continually test the segmentation boundary and identify those portions of the boundary that actually changed, allowing pen testing to be focused on just those elements. This drastically reduces the cost and effort required to meet this stringent new requirement. For more information, download our white paper: CDE Segmentation Validation.