866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How to Achieve PCI DSS Compliance in a Zero Trust Environment Blog Feature
Salvatore Butera

By: Salvatore Butera

Print/Save as PDF

How to Achieve PCI DSS Compliance in a Zero Trust Environment

Payment Card Assessments | PCI DSS

In the world of digital transactions and data security, the Payment Card Industry Data Security Standard (PCI DSS) serves as a crucial framework that ensures organizations handling payment card data maintain robust security measures. However, performing and passing PCI DSS assessments when you’ve deployed a Zero Trust Environment creates unique opportunities that challenge conventional notions of scope.

As PCI QSAs who have been assessing organizations and their varying environments for over a decade, we’re well-versed in how the complications of PCI DSS can cause pitfalls. That’s why, in this blog post, we’re going to delve into the considerations organizations face when attempting to achieve PCI DSS compliance within a Zero Trust framework.

 

What is a Zero Trust Environment?

Before delving into how a zero trust can define scope, let’s briefly review what a Zero Trust environment entails—Zero Trust is a security model that assumes no trust within or outside an organization’s network.

In a Zero Trust environment, trust is not implicit, as it is in ‘classic’ models—access to resources is granted by a continuous set of controls, which are applied in accordance with the user’s permissions, data sensitivity, and environmental metrics before access is permitted.

 

7 Considerations to Make Within Zero Trust Environment for PCI DSS Compliance

Because trust is never assumed in a Zero Trust Environment, there’s no clearly defined network perimeter, and that mandates significant alternations when applying the PCI DSS requirements.

As the standard traditionally relies on the concept of a network perimeter, with cardholder data residing in specific, well-protected segments, to meet PCI DSS standards, Zero Trust organizations must first classify the sensitivity of data—including said cardholder data as well as authentication credentials—continuously monitor and assess systems and users and do so regardless of their location within the network.

Achieving these things typically requires advanced identity and access management solutions, but it’ll also require significant adjustments to traditional PCI DSS compliance practices—including the following seven.

1. Micro-Segmentation

 

Micro-segmentation entails dividing your network into isolated segments to more strictly define traffic, and while it’s a fundamental element of Zero Trust and enhances your security, it also changes how PCI DSS assessments are run, as every assessment requires an evaluation of the safeguards provided by individual micro-segments. Since each of those features its own set of controls and access policies, that evaluation becomes more complex.

You’ve got to ensure that each element in scope adheres to the appropriate PCI DSS requirements while maintaining the strict isolation Zero Trust requires—to do so, these effective tools and expertise can all play their part in managing the intricacies of micro-segmentation within the context of PCI DSS compliance:

  • Software-Defined Networking (SDN)
  • Zero Trust Network Access (ZTNA) Solutions
  • Container and orchestration security tools
  • Endpoint Detection and Response (EDR)
  • Next-generation firewalls
  • Micro-segmentation solutions

2. Scope Reduction

 

Given the breadth of PCI DSS requirements, there’s often an effort during assessments to minimize the number of systems and components within the cardholder data environment (CDE) to reduce the scope of compliance efforts.

But having a Zero Trust environment involves monitoring and securing assets—so to reduce your PCI DSS scope, you should define things accordingly:

  • First, group data elements and associated systems that are part of the CDE and apply strict access controls through Zero Trust.
  • For all other elements that are in scope but not included in the CDE, your access controls may be less strict, but must still be explicitly defined to the users and resources necessary for business operations.

3. Continuous Monitoring

 

Though each PCI DSS assessment may be a point-in-time review, compliance isn’t a one-time event and it also requires continuous monitoring for detection and response to security threats.

Here’s the good news—because a Zero Trust environment mandates the continuous review of user and device behavior to identify anomalies and assess potential risks in real-time, the controls used to implement and maintain Zero Trust align fully with the scrutiny to meet the PCI DSS.

Here’s the less-good news: acquiring and managing all the required monitoring solutions—including the necessary trained personnel—will be a significant expense. Still, some tools you should consider include:

  • Continuous monitoring of the environment through security information and event management (SIEM);
  • Intrusion detection/prevention systems;
  • Vulnerability scanning tools;
  • FIM solutions;
  • Network traffic analysis tools;
  • EDR solutions;
  • Configuration management tools to prevent configuration drift can help maintain PCI DSS compliance in a Zero Trust environment.

4. Encryption

 

PCI DSS emphasizes encryption as a crucial security control, and Zero Trust similarly advocates for encryption at every level of the network.

However, to ensure that data is protected in rest and transit, a Zero Trust environment actually requires more rigor than the standard does regarding the application of strong encryption and utilization of secure standards consistently across environment—to serve both Zero Trust and PCI DSS, you’ll need an inventory of cryptographic algorithms, keys, and cryptoperiods (how long keys are in use).

Maintaining an inventory and securely managing the rotation and retirement dates is best done through centralized key management systems and tools, of which there are many software solutions available for both on-premises and cloud encryption (depending on what you use).

5. Identity and Access Management (IAM)

 

If you deploy a Zero Trust environment, you know it relies heavily on robust IAM solutions for both human users and service accounts. While this enhances security, you also must ensure that your IAM policies align with PCI DSS requirements—especially when it comes to authentication and authorization mechanisms.

When aligning your IAM policies, make sure to consider the following prescriptive requirements within PCI DSS v4.0:

  • Requirement 8.2.8 - Inactivity timeouts of 15 minutes or less
  • Requirement 8.3.4 - lockouts for bad password entry of no more than 10 attempts for a minimum of 30 minutes
  • Requirement 8.3.6 - A minimum password length of at least 12 characters containing both numeric and alphabetic characters.

6. Balance of Security and Payment Processing

 

Zero Trust Security can be so stringent that it potentially impacts the efficiency and agility of your payment processing operations—when you add in also trying to meet the PCI DSS requirements as well, striking the right balance between rigorous security measures and the seamless flow of payment transactions becomes crucial.

Achieving this balance requires a thorough evaluation and fine-tuning of security policies and tools.

More specifically, detailed risk assessments and centralized encryption key management protecting payment processing functions—such as the use of strong TLS ciphers and symmetric encryption for data at rest—are important to minimize the burden of managing the security controls around protecting cardholder data.

7. Lack of PCI DSS Standardization in Zero Trust

 

While PCI DSS offers a comprehensive framework for payment card data security, specific guidance for implementing security measures within a Zero Trust Environment is not currently available. This lack of standardization makes it challenging for organizations to measure their PCI DSS compliance effectively in this context.

As such, customized approaches are often necessary to adapt PCI DSS requirements to the Zero Trust model, which can be time-consuming and resource-intensive, but our article on how to prepare for this will help.

 

Moving Forward with Zero Trust and PCI DSS

Though not impossible, PCI DSS compliance in a Zero Trust Environment presents a unique set of challenges, as organizations must adapt the continuous, boundary-less nature of Zero Trust to the critical standard for securing payment card data and its traditional reliance on network perimeters and periodic assessments.

To do this will require investment in advanced technologies, redefining compliance practices, and balancing security measures with the efficiency of payment processing, but by addressing these challenges head-on, you can ensure the security of payment card data—and compliance with PCI DSS—while embracing the benefits of a Zero Trust approach.

For more information that can help you smooth out further challenges with PCI DSS, check out our other articles that detail different aspects:

About Salvatore Butera

Salvatore Butera is a Senior Associate with Schellman. Prior to joining Schellman in 2022, Salvatore provided consultative services across a variety of industries, including services ranging from on-premises and cloud system architecting, risk assessment, PCI DSS compliance, network security, and other general consulting services. Salvatore holds several industry certifications including CISSP, CISA, QSA, AWS CSA, and CCSK, and as a Senior Associate at Schellman, he focuses primarily on PCI engagements for organizations spanning many different industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.