As defined by the Payment Card Industry Security Standards Council (PCI SSC), the cardholder environment (CDE) consists of the people, processes and technology that process, transmits or stores cardholder data or sensitive authentication data, including any connected systems components.
This means a penetration test of the CDE must include the analysis of card data flow in electronic form on any system within the CDE and any connected systems.
The definition of a connected system is however open to interpretation when network segmentation is in place. If network segmentation is not in place, then the entire internal network is within scope, however if segmentation is in place, the scope of the internal penetration test can be limited to the CDE, dependent on whether the segmentation has been verified as being effective.
It should be made clear at this point that internal network segmentation is also not a requirement of the PCI DSS. Segmentation in cardholder environments is occasionally used to reduce the scope of assessment to a subset of systems within a network, but it is not a requirement.
The PCI SSC 11.3 Testing Information Supplement (March 2008) states: “The scope of penetration testing is the cardholder data environment and all systems and networks connected to it. If network segmentation is in place such that the cardholder data environment is isolated from other systems, and such segmentation has been verified as part of the PCI DSS assessment, the scope of the penetration test can be limited to the cardholder data environment.”
This however presents a dilemma for companies such as Sec-1 providing penetration testing services. Consider the following example environment where segmentation is in place: with a network comprising a CDE behind an internal firewall, a corporate network outside this (out of the PCI DSS scope), and an Internet connection. The case we occasionally encounter during the penetration testing scoping exercise is when, or when not to, limit the scope of internal testing to just the CDE.
Following the intent of the PCI DSS requirements – it could be argued that in the case above, if the “internal” aspect of the test is inside the CDE (as is currently defined by the PCI DSS), then everything else is “external” – including both the corporate network and the Internet connection. The reason for this being, if a compromise of the corporate network could allow access into the CDE, and thus CHD, then the segmentation has been proven as not effective.
The expectation would be that a QSA has verified the segmentation as being effective and thus the penetration test can be limited to just the CDE and the Internet connection. However, it is possible the QSA has not verified the effectiveness of any segmentation present, or that the verification itself is technically flawed – leaving the CDE open to abuse.
In several cases during Sec-1’s experience of PCI DSS 11.3 penetration testing engagements, we have proven it is possible to penetrate into a “segmented CDE” (as verified by a QSA) both from the Internet and the corporate Local Area Network (LAN). This highlights a gap where either the verification of the segmentation isn’t performed by the QSA properly or the validated segmentation has been removed post-assessment. It is thus imperative to review segmentation as part of a penetration test, to ensure access control into the CDE from trusted endpoints on connected networks is sufficient to provide protection of CHD.
With the introduction of version 3.0 of the PCI DSS due on the 7th November 2013, the PCI SSC is proposing the following guidance on penetration testing: “Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective”.
We fully expected the updated requirements in version 3.0 to include technical testing to test the effectiveness of CDE segmentation during the penetration test by ensuring the CDE cannot be penetrated through a compromise of any “out-of-scope” connected networks. The now-released draft version of the 3.0 standard underpins this expectation. This will improve overall payment card security and help prevent future payment card abuse by ensuring segmented CDE’s cannot be compromised through any connected networks.
The above blog post is an extract from a paper, ‘PCI DSS 3.0 Compliance: Meeting Requirement 11.3’, written by Matthew Hall, a Sec-1 PCI QSA Consultant. Click the link above to read and download the full version.