Name: Practical PCI-DSS Compliance for Complex IT Environments
Uploaded: 2025-09-10T15:00:17.154Z
Duration: 20 min 57 s
Description: Practical PCI-DSS Compliance for Complex IT Environments

Transcript for "Practical PCI-DSS Compliance for Complex IT Environments": first of all, I'm going to give you a little bit of context about PCI DSS, where we stand right now, who it's for, how it's important for network operators, and how some specific regulations or requirements within PSI, PCI DSS, excuse me, relate to network operations, and assurance. And I'll give you a few practical tips on how you can use network assurance tools like IP Fabric, to help manage your kind of compliance operations in relation to PCI. And these actually apply across a lot of different compliance regulations and security frameworks. So I do hope it will be helpful for you. Alright. Let's dive in. First of all, just to kind of zoom out and understand what we're working with here. The PCI data security standard, right, which is published, globally by the PCI Security Standards Council is a benefit to anyone. It exists to benefit anyone. Should I say using a card to pay for goods and services, and I'm willing to bet that includes you. So this is about protecting your data as a consumer, and it's important for companies to adhere. It's designed to protect the payment account data wherever it lives, be that in storage, while it's being processed or transmitted, and it lays down a baseline of both operational and technical standards, and requirements that all organizations handling this data must follow. And it's so critical right now more than ever. So at the upcoming global collaboration meeting for industry experts concerned with PCI, which will be in Amsterdam just this October, they will actually dig into factors like cloud computing, artificial intelligence, and emerging threats to do with cyber attacks as big reasons to advance your payment security now and take it as seriously as ever. Right? And, of course, the the consequences of noncompliance are very serious. We have regulatory fines as well as reputational damage, and you could even lose the ability to process card payments, which you can you can just imagine the impact in this for any modern business. It's, of course, relevant for banking and financial services. Yes. But also retail, which we know has been under spotlight, due to cyber attacks, ecommerce, hospitality, bank, health care, and really any environment. It's not vertical specific. It's any environment with a complex IT network that touches payment data in some way. And those networks, of course, include routers, firewalls, switches, encrypted tunnels, interdependencies, and, critical application infrastructure, all of which must be compliant as well as performance. Last year, we saw more specific PCI updates. We're now on version four point zero point one, including specificity around rules governing cardholder data environments. Collectively, these changes really reinforce the security authentication rules, remote connectivity, wireless monitoring, and proactive vulnerability detection across routers, firewalls, and related infrastructure. So very pertinent for anyone, dealing with the, the struggle of keeping your network secure and compliant. Right? Right. I'm going to move on to what we can actually see in, the payment card data security standards version four point zero point one. So just to break it down in case you've never had time, as a network professional to actually dive into the nuts and bolts of this regulation, There are 12 main requirements, and a bunch of sub requirements under each one, of course. And they're split into six sections. So these are the first three that we're looking at now. And I want to look at some of the specific language and how this relates to network assurance. Right? So that first requirement that we can see there or that first category with the first two requirements underneath, build and maintain a secure, network and systems. Right? And Climate One is install and maintain. I've emphasized maintain their network security controls. So let's talk about why there's a maintenance part. It's actually one of the hardest parts of PCI compliance. And for this, I'll I'll actually quote the IP Fabric c I, CEO, Pavel Bicca, from his recent Forbes article on the greenfield fallacy as he calls it. So he said that infrastructure doesn't stay new for long. The moment it's deployed, it starts aging. There are new applications, devices, departments, and requirements emerge, that emerge all the time. Teams expand and contract, vendors change, acquisitions happen, and soon that once pristine environment is just another brownfield struggling with the same control and visibility challenges enterprises have faced for decades. Some specificity to this in terms of PCI. So PCI DSS, requirement one point two point three specifically calls out the need to maintain accurate network diagrams that show all the connections between the CDE. So the cardholder data environment and other networks, including wireless. So just an example of where you would find that requirement fulfilled in IP Fabric, We have these network documents that are not, your traditional static document that you need to manually update but actually an interactive flexible network digital twin, that is updated with every snapshot that you run where you get this kind of, you know, thousand foot view, but also you can drill down into specific devices to understand those interconnections. So as we stop and look at this and you're thinking about your network and how these diagrams might be helpful for you, I did want to bring up a quick poll just so you guys can, kind of let us know, what your main interaction, sorry, your main challenges are in terms of, PCI compliance. So what do you find most challenging about PCI DSS compliance? Is it managing that managing that device inventory, which we'll look at how to do as well? Detecting segmentation drift, so your segmentation policies are not being applied as you expect them to be, validating security controls, maybe you're dealing with, you know, a multi site environment, where it's hard to maintain consistency. Or is it just gathering that proof of compliance, having that evidence, in a consumable way to pass on to other teams as they need it. You let us know and, we can share the results in a bit. Alright. So going back to those first three categories, I also just wanted to emphasize Pavel's point here about the link to maintenance. So we really need IT leaders, to abandon the set it and forget it mindset even if they have, you know, a good intention of building something that's really secure from the ground up. Instead, they should take a proactive approach to network control and maintain continuous validation and control of the network environment because they will risk up risk ending up with a tangled mess of security gaps and, infrastructure and operational inefficiencies. Speaking of gaps, requirement two here, describes the application of, oh, sorry. Yeah. Describes the application of security configurations to all system components, and I've highlighted all here. Just double checking that. So when it comes to the network specifically, thing, if you're using for example, a traditional CMDB or similar as your source of truth to know which network components to apply security controls to, you could very well be leaving out unmanaged or forgotten devices. We often find discrepancies of up to 20% during POCs, or in production using our more accurate complete and detailed discovery mechanisms than those traditional, two tools would provide. And just an example once again of where you would find this in IP Fabric. Right? Here, we can actually see even from that first discovery, once you have your network snapshot, you have your inventory, we do actually highlight for you unmanaged neighbors, that we know exist, that are likely not getting, those security policies that you're wanting to push. So highlights it all in this first slide to really just emphasize that. If you have, devices in your network that are not getting the correct security applications, updates, configuration updates, etcetera, you are violating your your PSI obligate PCI obligation. Excuse me. Alright. Moving on to the next three of those six categories. Once again, throughout here, we can see these themes of information, having the information you need and control of that information repeated. And again, to get specific, there is a lot in PCI mainly in requirement number 12 but also in requirement two and spread out, about having inventory information in a way that's continuously updated. So requirement twelve point three point four asks us to have hardware and software technologies in use that are reviewed at least once every 12 months. And, IP fabric definitely fulfills this if you're having a daily snapshot updated. But once again, we're not just an inventory, we're not just an asset inventory tool, we're actually fortifying that with intelligence and giving you information you need to go practically, make updates to the network as you need to. So what does this look like? Well, we have this end of life milestones table which gives you a lot of information about devices that are reaching end of support, end of maintenance, or, of course, end of life. And this life cycle management information is so so valuable in a vast complex multi site, multi technology network environment. To manually gather this, make sure it's up to date, and get this information to the people who need it, is a huge tool. So having this automated, gives you a lot less headaches come around all the time for sure. Alright. So, we've looked at a little bit of what IP fabric can do and I just kinda wanna sum it up before we actually dive into the product and look how you at how you can bring all this information together into one place. So just wanna sum it up. We can maintain a complete and continuously updated device inventory. Right? We automatically do this for you every day. We can also validate that segmentation and encryption policies are functioning as intended. We'll take a look at this with intent checks. And, of course, something that is a slightly new feature for IP fabric in our recent releases is you can build your own custom PCI compliance dashboard to streamline this validation every day. So I'm going to share my screen and do a short demo of this, so you can see how to do it for yourself. Alright. Give me one second. And here we are. So, usually, I'd start an IP fabric demo with our overview, which shows you, you know, there's 160 plus out of the box intent checks that you can use to query all the information that we gather. But today, I'm actually starting with a PCI DSS version four point zero point one custom dashboard. Now this is really cool because you can tailor dashboards. You can add and tailor dashboards to whoever you want to, see it so you can tailor it to an audience or for or for specific use case. Right? So get into work in the morning and instead of having kind of an information overload, you have it really tailored. And here I've actually put in the specific language. So we spoke about inventory. Right? Here I've got requirement 2.4 and requirement twelve point five point one, which definitely overlap slightly. And I have the information from IP fabric that we would want to see including a comparison of what's changed in the network, from snapshot to snapshot. So really super useful stuff and I do just wanna show you how you would, add to this yourself if you were wanting to create your own dashboard. So you would, click edit on the dashboard and then click here to add a widget. And this is all based on either the discovery data that we have, already available that you can simply, add in or, our intent verification checks. Right? So I'm gonna go to intent verification checks and say I wanted to fulfill this user authentication information, based on requirement 10.1, I would simply click here. I can add whatever title I want. I've already got this prefilled. And then if I know the rule that I'm searching for, I can simply, search for it. We can actually also browse, right, the intent checks that exist and simply select and move those into your dashboarding environment. So I'm just doing an example. So I'm just going to do a few to show you. I would then go, down here, choose what view I want to see that in. I'm simply going for this widget view and that would be added. Right. And I I I just kind of doubled up here, but just adding something to to kind of reveal that information for this specific dashboard. So yeah. So just a recap, you know, from that discovery okay. I'm gonna save my changes and leave here. But from that discovery, we've discovered our network. We have that inventory. We have beautiful dashboards that we can use to tailor to different audiences. We can share this information, to different audiences too. Usually, we have, reports from each snapshot that we can also share, if we want kind of a boiler plate report of our network status, of course, all that, information in our inventory, whatever intent check is applied up up top here, you would be able to then import that information into your dashboard environment as well. And, of course, more detailed information in, for example, end to end pause to understand how segmentation is operating, where IP sec tunnels are applied and how they're applied, and, of course, those network diagrams that are specific requirement for PCI. So I'm just going to stop sharing and go back to my slides. Alright. Where were we? K. So it's easy to see why all of this, will just make your life so much easier when it comes to, having a proactive compliance, program where you're not simply reacting, to, incidents that may arise, but you're actually going out there and proactively helping yourself be compliant and protecting against any incidences. Just going to check out q and a to see if we've had any questions come up. Maybe you can address them here. Alright. I see we have one question about how does IP fabric help with incident management. Right? So when there are incidences, of course, we want to manage that incident, but then we also want to validate after the fact that there's been no ill gain effects that we don't know about in our network. So there's a few things that we can use IP fabric for in this regard. Right? Once again, that proactively validating our security policies to identify any drift in our policy application or segments or drift from our intended state to help us prevent from these incidents, happening at all. But then once they do happen, which often can be inevitable, running an end to end path check that I just showed, importing a source and destination IP address and running that path check to have a quick analysis of where the problem is, what's changed. You know, you can compare that snapshot day three to day two to understand exactly what's changed in your network and prevent, any problems from going further afield quickly. And then having that historical analysis. Right? Your network state is captured in these snapshots that you can go back and, these can serve as your last known good state should you need to revert or restore the network to that last known good state. But also a lot of these, compliance regulations, PCI included, you know, do have language around being able to report on incidences that had happened in an accurate and complete way. So having that, tracked, understanding of how your network looked at various points in time is very important. Okay. And just going to check if we have any more interactions. Yeah. It's a point two. Alright. Okay. So I thank you guys for coming and and and joining me, to learn a little bit about PCI and some practical steps you can take. I do want to share what just, you know, three takeaways that I really want you to have from this short but sweet webinar. I want you to remember that PCI compliance or any compliance really shouldn't be reactive or limited to just a few times a year when you have that scary audit. There are ways that you can make it continuous and automated so that you're not stressing. This approach, this automated approach that's more accurate, saves time, definitely reduces stress, and minimizes the risk that you face. And it's it's not just for the networking team. Right? This benefit can be echoed across security, networking, and compliance teams for sure, and I'm sure they'll thank you, the network team for it. And I just wanna hammer home that the foundation of any successful, network compliance program is a good database line or good understanding of what's the true, state of your network is. So with IP fabric as a single source of truth there, you gain the confidence, speed, and the visibility to, adhere to PCI but also NIST to NIST, Dora, CIS controls, whatever you are trying to adhere to. We know often organizations are adhering to up to six at a time different controls, confidently. And I will give you another prompt. Just go check out our chat and our docs as we have, a lot of great resources there available for you. If you have a topic you would like to request for webinar to for us to demo or dive deeper into, do let us know. We have our free trial link there and we do have our compliance, matrix links there available as well that you can kind of see different information from IP fabric, and how it relates to each regulation. Right. So thank you guys so much for your time. I truly appreciate it. This has been Christine from IP Fabric product marketing team. Bye bye.