Our colleague Phillip Meyer was part of the PCI Security Standards Council's Special Interest Group “Scoping and Segmentation for Modern Network Architectures” in 2023/2024. We asked him a few questions about it.
Phillip, would you mind briefly explaining to us what a SIG is?
Phillip Meyer: The Special Interest Groups (SIGs) are initiatives moderated by the PCI SSC and supported by the PCI community. Their purpose is to develop resources that can be consulted as supplements to the standards. Participation is voluntary, but auditors and representatives from numerous companies affected by PCI standards regularly come together to discuss and exchange best practices. The results are made available to the community in the form of guidance documents.
How do you work together in the SIG?
P.M.: The role of the PCI SSC is limited to setting the topics and the schedule and supporting the voluntary participants in creating the final document. The input for the guidance documents comes from the participating companies themselves. In the 2023/2024 period, representatives from a total of 81 companies were involved in the SIG “Scoping and Segmentation for Modern Network Architectures”. For a year, we met twice a month for an exchange in a call. Between these coordination meetings, we then worked on the new document piece by piece in several small groups.
The result of your work is the new 'Scoping and Segmentation Guidance for Modern Network Architectures', which was published in September. Why did the PCI SCC choose this topic?
P.M.: The SIG 2023 was tasked with addressing the topic of modern network architectures, including cloud services and zero-trust networks, in the PCI DSS environment. These are becoming more and more prevalent in many companies. It is now common practice in the PCI DSS environment to see hybrid environments with cloud or even multi-cloud environments alongside traditional network architectures. However, traditional PCI DSS scoping and segmentation practices, for example, are often applied to modern network architectures. This can create security gaps and attackers potentially have more room for a wide range of attack vectors. Especially in the context of PCI DSS, the correct segmentation of the cardholder data environment (CDE) is significantly important, which is why the PCI SSC, with the help of the community, is now addressing precisely this topic.
For whom is the guidance intended?
P.M.: The document that has now been created offers guidance on best practices to be considered in the scenarios described above and is aimed at all companies affected by the PCI DSS that are seeking and require information and best practices on scoping or segmentation practices within modern network architectures. The document also contains some tips and hints for dealing with individual PCI DSS requirements in modern network architectures. For example, there are notes on how to handle segmentation tests or maintain system lists when using volatile microservices.
However, it is important to note that the document does not replace the PCI DSS. It is intended to provide support and additional information. I believe that we have been very successful in achieving this.
