PCI DSS 4.0 Compliance is Just One Reason to Rethink Your Segmentation Tech

By Susan McReynolds

For e-commerce organizations, protecting payment card data is a top priority. So is maintaining compliance with the PCI Data Security Standard (PCI DSS). With the arrival of PCI DSS 4.0, it’s critical to review your audit readiness, including a thorough assessment of your cardholder data environment (CDE).

Segmenting your infrastructure to reduce your auditable footprint is a key step. And while network segmentation isn't a requirement of PCI DSS 4.0, it should be. That’s how important it is to both PCI DSS compliance and your overall data security posture. The key questions are, "What is the best segmentation approach? And are you still doing it the hard way?"

Times Have Changed … Quickly

Traditional methods of segmentation like virtual LANS, access control lists (ACLs), and internal firewalls have long been used to separate the CDE from out-of-scope systems. However, these technologies are cumbersome to manage and maintain, placing pressure on already strained resources to ensure that systems and applications within the CDE are properly isolated. As retail organizations operate and scale across complex architectures, legacy methods can’t keep pace. Organizations are left vulnerable to firewall misconfigurations and inconsistent application of security policies that increase the likelihood of a failed PCI audit — or even worse, a breach of customer data.

A Modern Segmentation Approach

To remove the growing complexity and operational overhead associated with PCI scoping, forward-looking organizations are turning to micro-segmentation to more effectively wall off their CDE. This software-defined technology approach greatly reduces headaches associated with PCI scoping and helps streamline compliance with PCI DSS 4.0. Unlike traditional methods, software-defined segmentation decouples security from the underlying infrastructure which means no firewall, network changes or reboots to servers. This also means avoiding change control or maintenance windows that can slow deployments — and needs of the business — down.

As a result, software-defined segmentation dramatically simplifies the ability to segment the CDE in ways that minimize the auditable environment, while also providing both real-time and historical views of the network to help validate compliance with QSAs. The result: lower compliance costs with increased assurance.

Strengthening Your Security Posture

Streamlining PCI DSS compliance is reason enough for adopting software-defined segmentation. But there’s an even more important reason: defending against the increasing number of ransomware attacks. The e-commerce industry is at the top of the hit list for ransomware and other cyber threats. In a recent independent survey of key industry verticals, e-commerce organizations reported the highest number of ransomware attacks in 2023 — 167 on average, compared to 86 on average for respondents in all industries surveyed, including financial services, healthcare, and the energy sector. That’s why CISOs are turning to zero trust-based security controls like micro-segmentation to minimize the impact of a successful attack and stop incidents from turning into full blown breaches.

Another risk area impacting commerce organizations is internet of things (IoT) and operational technology (OT) assets — from internet-connected sensors to “smart” building systems — throughout modern retail, warehouse and distribution facilities. Lacking host-based security agents combined with the inherent difficulty to patch, these assets are extremely vulnerable to attack. According to Forester’s 2023 report on the State of IoT Security, 33 percent of senior global security leaders cited IoT devices as the No. 1 target for external cyberattacks. Defending against compromise requires segmentation of IoT and OT environments to prevent attackers from exploiting assets in order to gain access to the broader IT infrastructure and vice versa.

The bottom line: Software-defined segmentation can dramatically simplify the task of ensuring compliance with PCI DSS 4.0, while significantly reducing your attack surface. That’s a win that any e-commerce organization can get behind.

Susan McReynolds is an industry strategist for commerce at Akamai Technologies, a cloud company that powers and protects life online.

0 Comments

View Comments

Susan McReynolds Author's page

In the role of commerce industry strategist for Akamai, Susan McReynolds works with customers, analysts and industry influencers to keep a pulse on the cyber security trends and challenges facing today’s retail, travel and hospitality enterprises. Passionate about all things InfoSec, she has spent the last eight-plus years infusing creativity across brand messaging, content development and event programming strategies.

Prior to a career move into tech, Susan helped guide national and global athletic brands in developing custom visual merchandising programs. She received both her MBA and undergraduate degrees from the University of Colorado at Boulder.