To comply with PCI, network segmentation planned at nonprofit

Meeting the Payment Card Industry Data Security Standard (PCI DSS) requires more than adding firewalls. To stay compliant with PCI, network segmentation is how one Midwestern nonprofit plans to tackle the job.

Beefing up network security to comply with the Payment Card Industry Data Security Standard (PCI DSS) means more than adding firewalls. One Midwestern nonprofit plans to use network segmentation to tackle the job.

"I've always been a big proponent of 'KISS: Keep it simple, stupid' … [because] if it's simpler, it's easier to troubleshoot and it's easier to maintain," said Bob Branski, systems administrator at Goodwill Industries of Southeastern Wisconsin (SEW) and Metropolitan Chicago. "[But] PCI doesn't mean you can always keep it simple. You have to add more complexity to the environment, and as you add more complexity, you have to add more change control."

PCI network
segmentation resources

Get expert advice on how to implement PCI network segmentation

To comply with PCI, network segmentation is a must

PCI network segmentation: One strategy to cope with "the dirty dozen"

Created in 2004 by four major credit-card companies -- Visa, MasterCard, Discover and American Express -- the PCI DSS lays out a dozen standardized policies and procedures for organizations to safeguard credit, debit and cash card transactions that traverse or are recorded on their networks.

The board of directors for Goodwill SEW, the largest Goodwill worldwide in terms of revenue and employees, handed down the order last year that the network connecting its 56 retail and corporate locations would need to be PCI-compliant, Branski said.

"We've always had certain levels of security in place," he said. "Before PCI came along, it was up to each individual company to determine what [it] felt was a secure method of storing or protecting data."

To comply with PCI, network segmentation on tap

As a nonprofit, Goodwill receives software grants from Microsoft and hopes to get more mileage out of its Internet Security & Acceleration (ISA) server software to reach PCI compliance, Branski said. As alternatives, he is also evaluating security software from Check Point, Blue Coat and Barracuda, but he expects to tip toward Microsoft, in part for its savings.

"Every dollar I don't spend on my infrastructure is a dollar that is going to support a program or function for the community," he said. "We're even more cost-conscious [than the private sector]."

But the nitty-gritty of PCI compliance has physical and technical challenges for Goodwill SEW's small networking team, according to Branski, who heads up most networking responsibilities for the nonprofit.

Every dollar I don't spend
on my infrastructure is a dollar that is going to support a program or function for the community.

Bob Branski
Systems AdministratorGoodwill Industries of Southeastern Wisconsin and Metropolitan Chicago

Although there are just two servers in his data center that process credit-card transactions, the trouble lies in looking at and modifying every server, switch and router that any credit-card data may touch.

Branski expects to have to add at least one more virtual LAN (VLAN) for each store for point-of-sale devices, in addition to software upgrades. PCI network segmentation will also mean isolating those VLANs and isolating six to eight servers at corporate headquarters.

"If all of the devices function on the same networking structure, we have to make sure [they have different routing rules]," Branski said. He will be responsible for nearly all of the PCI network segmentation and changes over the next six to eight months.

The standard is also somewhat ambiguous about what is "in scope" or "out of scope" for planning PCI network segmentation, he added. A router that never sees credit-card transactions, for example, is likely to be connected to a switch that does.

Something as simple as switching out a broken cash register at a Goodwill store "adds this extra layer of complexity" and turns a building operations job into an IT one, Branski said. "I don't necessarily want that to happen," he added, "but it's something we have to think about."

Let us know what you think about the story; email: Jessica Scarpati, News Writer

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close