How to Achieve PCI DSS Compliance in a Zero Trust Environment
In the world of digital transactions and data security, the Payment Card Industry Data Security Standard (PCI DSS) serves as a crucial framework that ensures organizations handling payment card data maintain robust security measures. However, performing and passing PCI DSS assessments when you’ve deployed a Zero Trust Environment creates unique opportunities that challenge conventional notions of scope.
As PCI QSAs who have been assessing organizations and their varying environments for over a decade, we’re well-versed in how the complications of PCI DSS can cause pitfalls. That’s why, in this blog post, we’re going to delve into the considerations organizations face when attempting to achieve PCI DSS compliance within a Zero Trust framework.
What is a Zero Trust Environment?
Before delving into how a zero trust can define scope, let’s briefly review what a Zero Trust environment entails—Zero Trust is a security model that assumes no trust within or outside an organization’s network.
In a Zero Trust environment, trust is not implicit, as it is in ‘classic’ models—access to resources is granted by a continuous set of controls, which are applied in accordance with the user’s permissions, data sensitivity, and environmental metrics before access is permitted.
7 Considerations to Make Within Zero Trust Environment for PCI DSS Compliance
Because trust is never assumed in a Zero Trust Environment, there’s no clearly defined network perimeter, and that mandates significant alternations when applying the PCI DSS requirements.
As the standard traditionally relies on the concept of a network perimeter, with cardholder data residing in specific, well-protected segments, to meet PCI DSS standards, Zero Trust organizations must first classify the sensitivity of data—including said cardholder data as well as authentication credentials—continuously monitor and assess systems and users and do so regardless of their location within the network.
Achieving these things typically requires advanced identity and access management solutions, but it’ll also require significant adjustments to traditional PCI DSS compliance practices—including the following seven.
1. Micro-Segmentation
Micro-segmentation entails dividing your network into isolated segments to more strictly define traffic, and while it’s a fundamental element of Zero Trust and enhances your security, it also changes how PCI DSS assessments are run, as every assessment requires an evaluation of the safeguards provided by individual micro-segments. Since each of those features its own set of controls and access policies, that evaluation becomes more complex.
You’ve got to ensure that each element in scope adheres to the appropriate PCI DSS requirements while maintaining the strict isolation Zero Trust requires—to do so, these effective tools and expertise can all play their part in managing the intricacies of micro-segmentation within the context of PCI DSS compliance:
- Software-Defined Networking (SDN)
- Zero Trust Network Access (ZTNA) Solutions
- Container and orchestration security tools
- Endpoint Detection and Response (EDR)
- Next-generation firewalls
- Micro-segmentation solutions
2. Scope Reduction
Given the breadth of PCI DSS requirements, there’s often an effort during assessments to minimize the number of systems and components within the cardholder data environment (CDE) to reduce the scope of compliance efforts.
But having a Zero Trust environment involves monitoring and securing assets—so to reduce your PCI DSS scope, you should define things accordingly:
- First, group data elements and associated systems that are part of the CDE and apply strict access controls through Zero Trust.
- For all other elements that are in scope but not included in the CDE, your access controls may be less strict, but must still be explicitly defined to the users and resources necessary for business operations.
3. Continuous Monitoring
Though each PCI DSS assessment may be a point-in-time review, compliance isn’t a one-time event and it also requires continuous monitoring for detection and response to security threats.
Here’s the good news—because a Zero Trust environment mandates the continuous review of user and device behavior to identify anomalies and assess potential risks in real-time, the controls used to implement and maintain Zero Trust align fully with the scrutiny to meet the PCI DSS.
Here’s the less-good news: acquiring and managing all the required monitoring solutions—including the necessary trained personnel—will be a significant expense. Still, some tools you should consider include:
- Continuous monitoring of the environment through security information and event management (SIEM);
- Intrusion detection/prevention systems;
- Vulnerability scanning tools;
- FIM solutions;
- Network traffic analysis tools;
- EDR solutions;
- Configuration management tools to prevent configuration drift can help maintain PCI DSS compliance in a Zero Trust environment.
4. Encryption
PCI DSS emphasizes encryption as a crucial security control, and Zero Trust similarly advocates for encryption at every level of the network.
However, to ensure that data is protected in rest and transit, a Zero Trust environment actually requires more rigor than the standard does regarding the application of strong encryption and utilization of secure standards consistently across environment—to serve both Zero Trust and PCI DSS, you’ll need an inventory of cryptographic algorithms, keys, and cryptoperiods (how long keys are in use).
Maintaining an inventory and securely managing the rotation and retirement dates is best done through centralized key management systems and tools, of which there are many software solutions available for both on-premises and cloud encryption (depending on what you use).
5. Identity and Access Management (IAM)
If you deploy a Zero Trust environment, you know it relies heavily on robust IAM solutions for both human users and service accounts. While this enhances security, you also must ensure that your IAM policies align with PCI DSS requirements—especially when it comes to authentication and authorization mechanisms.
When aligning your IAM policies, make sure to consider the following prescriptive requirements within PCI DSS v4.0:
- Requirement 8.2.8 - Inactivity timeouts of 15 minutes or less
- Requirement 8.3.4 - lockouts for bad password entry of no more than 10 attempts for a minimum of 30 minutes
- Requirement 8.3.6 - A minimum password length of at least 12 characters containing both numeric and alphabetic characters.
6. Balance of Security and Payment Processing
Zero Trust Security can be so stringent that it potentially impacts the efficiency and agility of your payment processing operations—when you add in also trying to meet the PCI DSS requirements as well, striking the right balance between rigorous security measures and the seamless flow of payment transactions becomes crucial.
Achieving this balance requires a thorough evaluation and fine-tuning of security policies and tools.
More specifically, detailed risk assessments and centralized encryption key management protecting payment processing functions—such as the use of strong TLS ciphers and symmetric encryption for data at rest—are important to minimize the burden of managing the security controls around protecting cardholder data.
7. Lack of PCI DSS Standardization in Zero Trust
While PCI DSS offers a comprehensive framework for payment card data security, specific guidance for implementing security measures within a Zero Trust Environment is not currently available. This lack of standardization makes it challenging for organizations to measure their PCI DSS compliance effectively in this context.
As such, customized approaches are often necessary to adapt PCI DSS requirements to the Zero Trust model, which can be time-consuming and resource-intensive, but our article on how to prepare for this will help.
Moving Forward with Zero Trust and PCI DSS
Though not impossible, PCI DSS compliance in a Zero Trust Environment presents a unique set of challenges, as organizations must adapt the continuous, boundary-less nature of Zero Trust to the critical standard for securing payment card data and its traditional reliance on network perimeters and periodic assessments.
To do this will require investment in advanced technologies, redefining compliance practices, and balancing security measures with the efficiency of payment processing, but by addressing these challenges head-on, you can ensure the security of payment card data—and compliance with PCI DSS—while embracing the benefits of a Zero Trust approach.
For more information that can help you smooth out further challenges with PCI DSS, check out our other articles that detail different aspects:
About Salvatore Butera
Salvatore Butera is a Senior Associate with Schellman. Prior to joining Schellman in 2022, Salvatore provided consultative services across a variety of industries, including services ranging from on-premises and cloud system architecting, risk assessment, PCI DSS compliance, network security, and other general consulting services. Salvatore holds several industry certifications including CISSP, CISA, QSA, AWS CSA, and CCSK, and as a Senior Associate at Schellman, he focuses primarily on PCI engagements for organizations spanning many different industries.