With the rate of security vulnerabilities doubling every seven years and coming off one of the largest known infrastructure attacks (Salt Typhoon), modern security at speed and cost is non-negotiable for securing financial transactions. To ensure the safety of cardholder environments, financial institutions must understand the guidance on modern technologies and applicable controls.

Late last year, the Payment Card Industry Standards Security Council (PCI SSC) published an information supplement that can help companies and auditors to have better clarity about the newer and evolving designs that are becoming pervasive in the industry and real-world scenarios for applying PCI DSS scoping and segmentation techniques in a variety of modern network architectures.

This supplement did not supersede earlier requirements or guidance, but rather augmented the existing scoping and segmentation guidance to include newer technologies. These technologies include cloud services, zero trust models, and microservice environments coverage.

Read on to learn more about what the PCI SSC informational supplement covers and how financial institutions can achieve these best practices, at scale, speed, and cost with Cisco Hypershield and Splunk.

The architectures covered in the segmentation and scoping supplement

The big topics in this guide are multi-cloud architectures, zero trust architectures, hybrid cardholder data environments, network virtualization technologies (hybrid mesh and SDN), and secure software development. If you are planning to deploy these technologies, or have deployed them, you should consider the guidance and incorporate into your overall risk and audit planning.

• Multi-cloud environmentspresent unique challenges for PCI DSS scoping and segmentation. Organizations using multiple cloud service providers (CSPs) must establish consistent security controls across disparate environments, each with its own implementation mechanisms. The document addresses how segmentation controls need to function across these boundaries and how penetration testing should verify their effectiveness.
• Zero trust architecturemodels focus on granular access control and verification of every transaction based on identity, device posture, and contextual factors rather than network location. This approach complements cloud computing principles but introduces its own implementation considerations for PCI DSS compliance.
• Hybrid cardholder data environmentsMany organizations maintain hybrid environments where cardholder data traverses both on-premises and cloud infrastructure. The guidance addresses the unique segmentation challenges these environments present, including maintaining consistent controls across diverse technologies and establishing clear responsibility boundaries between the organization and service providers.
• Network virtualizationintroduces additional complexity to segmentation efforts. Virtual networks, software-defined networking, and overlay networks create logical segments that may not map directly to physical infrastructure. The document provides guidance on implementing and verifying effective segmentation in these virtualized environments. There are new controls and capabilities corresponding to new technologies, which are discussed in this document.
• Secure software deploymentThe document briefly addresses how DevOps practices intersect with PCI DSS scoping, highlighting the importance of integrating security controls throughout the software development lifecycle.

Enter Cisco Hypershield and Smart Switch

Cisco Hypershield was released for the exact use cases discussed in the PCI security segmentation supplement. The shift to more modern technologies has caused institutions to rethink security controls.

Cisco Hypershield is cloud native security for modern applications. It is built on modern building blocks, like eBPF, hardware acceleration, and artificial intelligence. It works with eBPF to provide an agent that can think in user space and act in kernel space. It can be used in on-premises as well as cloud environments, for consistent security from any core to any cloud.

Cisco Smart Switch addresses a key point in large scale data center and colocation segmentation journeys -the ability to exponentially scale up your data security for public cloud expansion and multi-zone segmentation, without exponential scaling of your power grid. Traditionally we solved firewall problems by scaling up software switched firewalls, but this is computationally expensive and inefficient. The currency of the realm in the colocation is rack and power, and the ability to offer an 800g stateful L4 firewall for zone segmentation, with firewall class logging in 1 RU, at a fraction of the cost, is exactly what is needed for the multicloud environment with high speed direct connects.

Splunk meets visibility and automated logging requirements

The need for logging and log automation is describedextensivelyin PCI DSS 4.0 and reiterated in the new guidance. Extensive logging and the ability to apply machine learning and automated alarming are critical to support these new technologies.

The segmentation supplicant is explicit: "Implement extensive logging. When a network policy denies traffic, it should be logged and reviewed."

Scaling this to any level of sizable organization will demand automation and AI/ML capabilities which are built into the Splunk platform. The challenges of observability of flows in service mesh environments, and the external nature of public clouds, makes the ability to detect and alert in real time one of the most significant changes in the PCI DSS 4.0 spec (and corresponding supplement). The importance of visibility in security cannot be overstated. You are only as secure and only as compliant as you are aware. You cannot protect from that which you cannot detect, and Splunk adds the ability to detect.

In conclusion, the time is now for financial institutions to address the guidance provided by PCI SSC to secure cardholder environments in today's technology landscape. We encourage you to continue the conversation with your sales representative on how Cisco can help scale these best practices for your financial institution at speed and cost.