PCI DSS Requirement 1.3.6: Segregate the CDE from the DMZ

by KirkpatrickPrice / April 18th, 2017

What’s in PCI Requirement 1.3.6?

To meet PCI Requirement 1.3.6, your organization must not store cardholder data within the DMZ. PCI Requirement 1.3.6 states, “Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.” PCI Requirement 1.3.6 also says, “Examine firewall and router configurations to verify that system components that store cardholder data are on an internal network zone, segregated from the DMZ and other untrusted networks.”

Jeff Wilder Discusses PCI DSS Requirement 1.3.6, Segregating the CDE from the DMZ.
The purpose and intent behind PCI Requirement 1.3.6 is to move cardholder data into an internal and secure environment, as opposed to the DMZ. Your organization has already spent so much time hardening the assets and networks within your environment, and if cardholder data exists within the DMZ, all of that work is diminished. PCI DSS states, “If cardholder data is located within the DMZ, it is easier for an external attacker to access this information, since there are fewer layers to penetrate. Securing system components that store cardholder data in an internal network zone that is segregated from the DMZ, and other untrusted networks, by a firewall can prevent unauthorized network traffic from reaching the system component.”

If your organization is storing cardholder data within your DMZ, assessors must examine the means and methods for moving that data into the internal environment. We see issues with this when organizations have an SFTP server or web server that is processing data. We recommend that you map a drive to your SFTP server, or web server, and when that data comes in, rather than writing it in to the local system within the DMZ, write that data into the corporate environment or into a server that resides within the cardholder data environment (CDE).

PCI DSS Requirement 1.3.6

PCI DSS Requirement 1.3.6 requires that we do not store cardholder data within the DMZ. The purpose and intent behind this particular requirement is that we’ve spent all this time within your environment hardening your assets, hardening the network, and doing everything we can to prevent the attack from getting any access to that asset. So if you’re storing cardholder data within your DMZ, we need to look at the means and methods for moving it into the internal environment.

A lot of times where we see issues with this is when organizations have an SFTP server or web server that might be processing data. When we talk about storage, we’re talking about persistent storage, meaning that if you’ve written it to hard drive, even for a millisecond, it’s considered stored. So what we would recommend that you do is take an opportunity to perhaps map a drive to your SFTP server or your web server, and when that data comes in, rather than writing it to the local system within the DMZ, is to write that data into the corporate environment or write it into a server that resides within the CDE.

Share Tweet Share Email

Related Posts