How to Define Your PCI DSS Scope in a Zero Trust Environment

Scoping is a key first step in any compliance assessment, and those who have been through the process understand how vital—and how tricky—it can be. Scoping is particularly crucial in PCI DSS, as drawing your boundaries largely determines which requirements your organization must satisfy, and when you’re operating within a Zero Trust environment, things appear to get more complicated.

In our work as experienced PCI Qualified Security Assessors (QSAs), we’ve been receiving a lot of questions on Zero Trust, including the effects of such an environment on the scoping process. In light of that, we’re going to provide some guidelines.

What follows are four steps to help you define your PCI DSS scope within a Zero Trust environment.

4 Steps to Help Define Your PCI DSS Scope in a Zero Trust Environment

From how it’s managed to how it’s segmented, Zero Trust fundamentally challenges our concepts of an environment. In other words, as companies implement Zero Trust Architecture, the paradigm shift away from a classical networking model complicates our notions of conventional segmentation and access. That’s because—at its root—Zero Trust requires the continuous verification of any access to resources.

Yes, Zero Trust Architecture provides a proactive and strategic approach to addressing the emerging threats to data and access, and that’s great news for your security. But make no mistake—implementing this architecture also necessitates a monumental shift in how organizations maintain their environment and how assessors evaluate controls, whether for PCI DSS compliance or other frameworks.

Before those assessments can be performed, however, you must define the scope of your environment built on Zero Trust, and here’s how you can get started when you’re pursuing PCI DSS compliance.

1. Identify Data Flows and Inventories

As usual, scoping starts with understanding how you handle data—in the case of PCI DSS, card data is the paramount concern.

Because the scoping is defined by your cardholder data environment (CDE) and the ability to impact the security cardholder data, obtaining a comprehensive view here is essential, this is achieved by:

• Identifying the flow of cardholder data across systems, applications, and network segments.
  • These diagrams must account for all card data flows into and out of your organization for any payment facilitation functions provided
• Listing which assets (systems) are storing, processing, or transmitting card data.
  • These are your CDE systems—e.g., an API receiving cardholder data or an application parsing data into specific formats before sending it to acquirers.
• Detailing which of these systems directly interact with data—they may format and/or parse data and then communicate it to other systems.
  • These are CDE systems if they have access to full PAN or sensitive authentication data—e.g., an application may parse the last four of a card number, append a transaction ID, and store this in a database.
• Documenting applications, users, and systems that interact with, or provide support for, your assets in the CDE.
  • While this list is in scope, these systems are not in the CDE—i.e., “non-CDE in-scope systems,” such as systems that receive non-sensitive data like sales metrics or applications that receive non-sensitive logging data.

As PCI QSAs, we can tell you that fewer things make us happier than a well-defined data flow and inventory, and these steps should get you started there.

2. Define Segmentation

Zero Trust architecture emphasizes network segmentation—or dividing the network into smaller zones to minimize resource access and, therefore, the potential impact of a breach. This is often referred to as micro-segmentation and provides the isolation necessary to meet PCI DSS’s definition of “segmented.”

Once you completely understand your data flows, you can then:

• Explain how you’re using micro-segmentation to isolate the systems and applications handling cardholder data from other parts of the network.
  • This must be explicitly defined and clearly discerned—the same concepts apply to other sensitive data like PII.
• Use granular network security controls and define the criteria used to account for:
  • User identity;
  • Device function; and
  • Data sensitivity.

(You’re not limited to these three elements—many other factors can be used.)

3. Document Implemented Access Controls

At this point, you know where the data is and how you are segmenting—now, you need to demonstrate how you permit access to sensitive data to individuals, systems, and functions only when each is authorized.

The following controls are in scope and need to be documented:

• Strict access controls that were applied on the principle of least privilege
  • Zero Trust or not—access to cardholder data must be limited to the individuals and systems that hold a legitimate business need.
• Strong authentication mechanisms that have been applied and enforced to verify user identities
  • E.g., your protections of credentials in transit and storage in scope

4. Demonstrate Monitoring and Auditing

Finally, you’ll need to explain a core component of Zero Trust that is not often discussed—the continuous monitoring of the environment. To do so:

• Define the controls that monitor:
  • Network traffic;
  • User activity;
  • Access; and
  • Security events—i.e., all elements that help you promptly detect and respond to threats.

As part of your overall compliance efforts, you must also conduct regular audits to confirm that controls are correctly implemented and maintained—that includes creating documentation of these assessments to act as evidence.

Trust in Zero Trust

Zero Trust architecture is a novel but amazing approach to implementing security principles, applying dynamic defenses, and reducing the risk of data breaches—an approach many organizations are now pivoting to in light of growing cyber threats. But as it does represent a departure from the traditional, Zero Trust can complicate compliance scoping.

Still, if you’re pursuing PCI DSS compliance for your Zero Trust environment and you follow our four steps to scoping and document data flows/inventories, concise segmentation, strict access controls, and their continuous monitoring processes, you can minimize the scope of your assessment while simultaneously improve your organization’s overall security posture.

In fact, while this blog primarily focused on PCI DSS scoping, these same concepts and principles could also directly apply to other frameworks. Want to learn more about what we mean by that, or how Zero Trust principles can strengthen your PCI DSS compliance efforts? Contact us today.