VeriFone zone router
The Council had a Webinar session for QSAs and ISAs on Thursday, December 15. It was a great session, but at only an hour, there were a lot of questions that went unanswered. The following were the more notable discussion topics.
Not Tested
The Council got the message and they are working on new wording for the AOCs as well as some guidance for “Not Tested” and how it can be used and not impact PCI compliance. They expect to have something issued in the first quarter of 2017.
Network Segmentation and Scoping
We got a definition of “purpose-built controls”. There really is not any change here in what the Council has told QSAs and ISAs in the past regarding segmentation. The bottom line is that “purpose-built controls” are those controls that segment one network from another network. That can be firewall rules, access control lists (ACL) or any other controls that control or limit the communications from one network to another network. I posed a question regarding encryption such as TLS and IPSec as still being a valid segmentation control, but it did not get answered. I am assuming that it still is a valid control given the Council’s statement that nothing has changed, but until we have explicit confirmation, that still is an assumption, not a fact.
The Council answered a number of questions regarding whether or not in-scope devices can be on the same network segment as out of scope devices can co-exist. As usual, we go the “it depends” discussion. The bottom line is that it depends on the threat presented by the out of scope devices to those in-scope. If an organization has lax security controls over all of their networks and devices, then I would be hesitant to allow out of scope devices to be on the same network segment as in-scope devices.
One of the most amazing discussions on this topic was an answer given regarding whether or not a device that has only an outbound connection from the cardholder data environment (CDE) can be considered out of scope. Under the Open PCI Scoping Toolkit, this would be categorized as a 2C system. The Council started out with their stock answer of “it depends” and then clarified that answer. The answer given was that while the system would be in scope because it is connected to the CDE, what requirements it would need to comply with would depend on the risk presented by the system to the CDE. This seemed to give organizations an opportunity to argue a minimization of requirements. I am sure this will result in a lot of arguments between QSAs, ISAs and their assessees in the future.