Beefing up network security to comply with the Payment Card Industry Data Security Standard (PCI DSS) means more...
than adding firewalls. One Midwestern nonprofit plans to use network segmentation to tackle the job.
"I've always been a big proponent of 'KISS: Keep it simple, stupid' … [because] if it's simpler, it's easier to troubleshoot and it's easier to maintain," said Bob Branski, systems administrator at Goodwill Industries of Southeastern Wisconsin (SEW) and Metropolitan Chicago. "[But] PCI doesn't mean you can always keep it simple. You have to add more complexity to the environment, and as you add more complexity, you have to add more change control."
Created in 2004 by four major credit-card companies -- Visa, MasterCard, Discover and American Express -- the PCI DSS lays out a dozen standardized policies and procedures for organizations to safeguard credit, debit and cash card transactions that traverse or are recorded on their networks.
The board of directors for Goodwill SEW, the largest Goodwill worldwide in terms of revenue and employees, handed down the order last year that the network connecting its 56 retail and corporate locations would need to be PCI-compliant, Branski said.
"We've always had certain levels of security in place," he said. "Before PCI came along, it was up to each individual company to determine what [it] felt was a secure method of storing or protecting data."
To comply with PCI, network segmentation on tap
As a nonprofit, Goodwill receives software grants from Microsoft and hopes to get more mileage out of its Internet Security & Acceleration (ISA) server software to reach PCI compliance, Branski said. As alternatives, he is also evaluating security software from Check Point, Blue Coat and Barracuda, but he expects to tip toward Microsoft, in part for its savings.
"Every dollar I don't spend on my infrastructure is a dollar that is going to support a program or function for the community," he said. "We're even more cost-conscious [than the private sector]."
But the nitty-gritty of PCI compliance has physical and technical challenges for Goodwill SEW's small networking team, according to Branski, who heads up most networking responsibilities for the nonprofit.
Although there are just two servers in his data center that process credit-card transactions, the trouble lies in looking at and modifying every server, switch and router that any credit-card data may touch.
Branski expects to have to add at least one more virtual LAN (VLAN) for each store for point-of-sale devices, in addition to software upgrades. PCI network segmentation will also mean isolating those VLANs and isolating six to eight servers at corporate headquarters.
"If all of the devices function on the same networking structure, we have to make sure [they have different routing rules]," Branski said. He will be responsible for nearly all of the PCI network segmentation and changes over the next six to eight months.
The standard is also somewhat ambiguous about what is "in scope" or "out of scope" for planning PCI network segmentation, he added. A router that never sees credit-card transactions, for example, is likely to be connected to a switch that does.
Something as simple as switching out a broken cash register at a Goodwill store "adds this extra layer of complexity" and turns a building operations job into an IT one, Branski said. "I don't necessarily want that to happen," he added, "but it's something we have to think about."
Let us know what you think about the story; email: Jessica Scarpati, News Writer