More PCI Woes

Another major complaint of mine is that the defined scope of the PCI DSS 1.1 spec does not scale very well for today's modern architectures. The applicable scope is defined as:

These security requirements apply to all “system components.” System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (Internet) applications.

This is all well and good for most traditional networks, however they fail to account for key components of modern networks. Take for instance the following examples:

• Virtualization - What happens when the machines that accept and process card holder data are virtualized? Do PCI requirements extent to every virtual machine that these machines may share hardware with? If your virtualization software allows for real time transitioning of machines across a virtulization cluster, is every machine in the cluster now subjected to PCI? What if administrative authentication to the virtualization management console is controlled by your internal Active Directory structure? Is that now also within scope?


• Service-Oriented Architecture/ Enterprise Service Bus - The big trend in modern web applications is to provide a type of service-oriented architecture. A key component of this is whats known as an enterprise service bus (ESB). The ESB is used to connect all the machines in your production architecture to facilitate the passing of data. So, if the web server that accepts the card holder data utilizes the ESB to transfer that data to the processing server and/ or a fulfillment application, does that mean that the ESB and every machine which touches it are now subjected to the PCI requirements?

The common response is to limit the scope of PCI DSS requirements by means of network segmentation. However, given the following examples some things simply transcend past network segmentation.


(Warning, rant below!)

So surely there must be some way I can do more than whining to help address these short comings in the PCI DSS spec. Of course there is! For the low low fee of $2,000 USD, I too can pay the PCI Security Standards Council to *allow* me to help them. For some odd reason, this just seems a bit backwards to me.