USE CASE: Simplify PCI Compliance With Network Segmentation
SIMPLIFY PCI COMPLIANCE
WITH NETWORK SEGMENTATION
SPOTLIGHTS
Industry
All
Use Case
Simplify PCI Compliance with
Network Segmentation
PCI DSS
The Payment Card Industry Data
Security Standard (PCI DSS) is a
proprietary information security
standard for organizations that
handle branded credit cards from
the major card schemes, including
Visa, M
asterCard, American Express,
Discover and JCB.
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation
Business Drivers
Fines for Non-Compliance: Organizations that allow their customers to pay with credit
cards must meet or exceed PCI DSS requirements. Credit card institutions may levy fines
as a penalty for noncompliance and propose a timeline of increasing fines.
Cardholder breaches can result in the following types of losses for a merchant:
$50-$90 fine per cardholder data compromised
Suspension of credit card acceptance by a merchants credit card account provider
Loss of reputation with customers, suppliers and partners
Possible civil litigation from breached customers
Loss of customer trust ,which affects future sales
Business Problem
Establishing, maintaining and demonstrating compliance with the Payment Card Industry
Data Security Standard (PCI DSS) is a necessity for all entities involved in payment card
processing including merchants, processors, acquirers, issuers, and service providers, as
well as all other entities that store, process or transmit cardholder data (CHD) and/or sensi-
tive authentication data (SAD).1 With approximately three hundred individual requirements
to address, organizations subject to the standard have their work cut out for them.
With global losses from payment card fraud exceeding $16.31 billion in 2014, the need
for the PCI DSS has never been more apparent.2 According to a poll in the Wall Street
Journal, 45 percent of Americans say they or a household member had been notified by a
card issuer, financial institution or retailer that their credit card information had possibly
been stolen as part of a data breach.3
Offsetting the value of the PCI security standards, however, are a handful of related
challenges. These include the substantial amount of effort and investment required
to achieve compliance in the first place, along with the unfortunate reality that being
compliant does not necessarily translate into an organization being adequately defended
against advanced cyberattacks.
Substantial Effort Required
For all system components included in or connected to the Cardholder Data Environment
(CDE), organizations must comply with more than three hundred requirements. It is in
every organizations best interest, therefore, to take advantage of network segmentation
provisions stated in the PCI DSS to effectively isolate their CDE and thereby decrease
the amount of infrastructure that is considered in scope. Doing so not only decreases
the cost and complexity of PCI compliance in several predictable ways but also has the
potential to deliver additional operational and security benefits. For example, when
armed with an appropriate solution, organizations can use network segmentation to:
Reduce both the number of system components that must be brought into compliance
in the first place and any derivative impact doing so might have (such as the need to
re-architect portions of the network or re-design certain applications and systems).
1. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
2. http://www.verizonenterprise.com/resources/report/rp_pci-report-2015_en_xg.pdf
3. Source: Poll Shows Broad Impact of Cyberattacks, Wall Street Journal December 2014
1
USE CASE: Simplify PCI Compliance With Network Segmentation

Reduce the number of system components that must be maintained in compliance, both on a regular basis and whenever the
PCI requirements are updated.
Reduce the number of system components and processes that must be periodically audited to demonstrate compliance.
Reduce and simplify management of the policies, access control, and threat prevention rules that apply to the CDE.
Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations.
Greatly improve the organizations ability to contain and limit the spread of threats.

Traditional Approaches
A flat network casts a wide scope of compliance: Organizations that do not to isolate their PCI devices, like point of sale (POS) devices,
credit card-processing workstations and servers typically face more challenges during their periodic PCI assessments compared to those
that segment PCI devices. Any network segment that processes or transmits unencrypted credit card information must all meet all PCI
DSS requirements. In a flat, unsegmented network, the entire network is in scope for the PCI DSS.
VLANS were designed for traffic management, not security: Your Qualified Security Assessor (QSA) will likely agree that VLANs and
ACLs do not provide the necessary security controls to meet PCI requirements and are extremely difficult to manage at enterprise scale.
VLANs were designed for traffic management and, alone, are not capable of enforcing the control of privileged information.
Alternative security options, like legacy port-based firewalls, also fail in this regard because they are indiscriminate about the traffic
thats allowed through and do not provide the necessary visibility or controls into the actions of the users for a segment. For example,
there is no way to determine which applications are being used, which data is being accessed, or if specific users are allowed to be in a
particular segment in the first place.
It is not sufficient to merely meet PCI requirements: By its own admission, the PCI DSS provides a baseline of technical and operational
requirements for protecting cardholder data. Not only do the specified countermeasures represent a minimum standard of due care,
but also as a result of the now three-year period between revisions they often lag behind significant changes to the technology and
threat landscapes.
One self-acknowledged example of this situation is provided by the requirement to deploy anti-virus software on all systems commonly
affected by malicious software (particularly personal computers and servers) in PCI DSS section 5.1. In this case, the DSS explicitly
mentions the consideration of additional anti-malware solutionsas a supplement to the anti-virus software presumably in recogni-
tion of the poor track record such software has at stopping modern, polymorphic malware and zero-day exploits.
A second example comes from the requirement to implement stateful inspection technology as part of the solution to prohibit direct
public access between the internet and any system component in the cardholder data environment in PCI DSS section 1.3.6. Verizons
commentary on this requirement says it all: The DSS still specifies stateful-inspection firewalls, first launched in 1994. As the threats to
the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded with thousands
of out-of-date rules. To address this, vendors are now offering next generation firewalls that can validate the traffic at layers 2 to 7,
potentially allowing far greater levels of granularity in the rules.4
Specific examples aside, the key point to realize here is that its typically neces-
THREAT INTELLIGENCE
sary if not imperative for security and compliance teams to go above and CLOUD
beyond the DSS requirements in order to establish a security architecture that
more effectively addresses modern/emerging threats and more closely aligns
with their organizations tolerance for risk.

Palo Alto Networks Approach

AUTOMATED

Description: CLOUD

Unlike traditional solutions, Palo Alto Networks Next-Generation Security

Platform natively classifies all traffic, regardless of port, protocol, or encryption.
OIN T
NET W

This complete visibility into network activity allows customers to substantially

DP
O

K EN
reduce their attack surface, block all known threats with an integral threat
R

NATIVELY EXTENSIBLE
INTEGRATED
prevention engine, and quickly discover and protect against unknown threats
using the WildFire cloud-based malware analysis service. Next-generation
endpoint security capable of stopping unknown threats and automated NEXT-GENERATION ADVANCED ENDPOINT
coordination among the natively integrated solution components complete FIREWALL PROTECTION
the picture. The net result is a truly innovative platform that delivers maximum
protection for an organizations entire computing environment while greatly Figure 1: Palo Alto Networks Next-Generation
reducing the need for costly human intervention and remediation. Security Platform

4. http://www.verizonenterprise.com/pcireport/2015/

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 2
USE CASE: Simplify PCI Compliance With Network Segmentation

Robust Network Segmentation

The Palo Alto Networks security platform uniquely ensures isolation of an organizations cardholder data environment with a robust set
of natively integrated security capabilities, including:
Control of all traffic at the application level (Layer 7 of the OSI Model): At the heart of our platform, innovative App-ID
technology accurately identifies and classifies all traffic by its corresponding application, regardless of ports and protocols, evasive
tactics such as port hopping, or encryption. In highly sensitive or specialized zones of the network, like the CDE, this provides the
best possible control by allowing security administrators to deny all traffic except the few applications that are explicitly legitimate.
Least privileges access control across the network. Along with App-ID, User-ID and Content-ID enable organizations to
tightly control access to the CDE based on an extensive range of business-relevant attributes, including the specific application
and individual functions being used, the actual identity of individual users and groups, and the specific elements of data being
accessed (e.g., credit card or social security numbers). The result is a definitive implementation of Least-privileged access control
where administrators can create straightforward security rules to allow only the absolute minimum, legitimate traffic in the zone
while automatically denying everything else.
Advanced threat protection. A combination of anti-virus/malware, intrusion prevention, and advanced threat prevention
technologies (Content-ID and WildFire) filter all allowed traffic for both known and unknown threats.
Flexible data filtering. Administrators can allow necessary applications yet still block unwanted file transfer functionality, block
unwanted file types, and control the transfer of sensitive data such as credit card numbers or custom data patterns in application
content or attachments.
r
s e
er ld
rv ho
Se ard

e
ur
C

s ct
er ru
rv st
Se fra

t
In

en
s m
er p
rv elo
Se ev
s
on

D
ta r
ks se
ti
or U
W nd
E

WAN and Internet

r
s e
er ld
rv ho
Se ard

Non-segmented network using ACLs

C

All servers and associated traffic may

e
ur
rs ce

s ct

fall within the scope of PCI audit

se n

er ru
U ina

rv st
F

Se fra
In

t
en
s m
er p
or o

rv elo
w lt
ks
et A

Se ev
N alo

D
P
e
on
IZ
C
P

Segmented network with Palo Alto Networks isolates

cardholder data
Access to PCI Zone is limited to finance users based
on User-ID (i.e., Active Directory security groups) and
App-ID (i.e., limit internal and internet applications)
Scope of PCI audit is reduced to cardholder segment
and finance users

Figure 2: Comparison of flat versus segmented network

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 3
USE CASE: Simplify PCI Compliance With Network Segmentation

The Security Platform Helps Meet and Exceed

Multiple Requirements Did you know? Traps Advanced Endpoint Protection helps you fulfill
two PCI requirements:
Reducing the scope of compliance with effective
network segmentation is only one way the Palo PCI DSS Requirement 5: Protect all systems against malware and regularly
Alto Networks platform supports organizations in update anti-virus software or programs Traps advanced endpoint
their efforts to achieve PCI compliance. It also helps protection is an innovative endpoint protection technology that prevents
by addressing many of the individual requirements exploits and malware, both known and unknown and exceeds the
specified in the DSS, as detailed in Appendix 1. original PCI DSS requirement, resulting in a much stronger security and
compliance posture
Business Benefits of Exceeding PCI Compliance PCI DSS Requirement 6: Develop and maintain secure systems and
Using the Next-Generation Security Platform applications Palo Alto N etworks customers have reported that their
Several examples have already been provided where the PCI QSA approved the use of Traps Exploits Prevention feature as a
Palo Alto Networks platform goes above and beyond compensating control for systems that cannot be patched in a timely manner.
PCI DSS requirements to deliver the greater levels of
protection todays organizations need, including:
Reduced scope of compliance by isolating PCI devices. The Next Generation Firewall controls the flow of information within the CDE
zone based on the principle of least privilege to block/deny all users, applications and content except that which is absolutely necessary;
Reduced exposure to attack of networked systems from known/unknown attacks, malware and vulnerabilities. The Next-
Generation Firewall, Threat Intelligence Cloud, and Advanced Endpoint Protection are natively integrated to ensure that threats
are quickly identified at all threat vectors into your network and stopped.
Empower your security team with greater visibility.. Native integration within the security platform empowers your security
team to quickly identify the important data points that require attention.
Another way our solution delivers next-generation protection that exceeds the
We Need Better Firewalls DSSs baseline requirements is by providing extensive information sharing and
coordination among elements of the platform. For example, new protections
One of the criticisms that we made of DSS 3.0 in
developed from WildFires real-time threat intelligence are automatically
our 2014 report is that it still refers to stateful-in-
spection firewalls, a technology that most security distributed to our customers systems within as little as five minutes. The net
professionals consider outdated. Malware and result of natively integrated threat prevention capabilities is a closed-loop archi-
hacker attacks that can bypass stateful-inspection tecture that delivers unparalleled threat response without the need for manual
access controls have been common for nearly and time-consuming interventions by an already overwhelmed security team.
a decade. While other security standards have
moved on, PCI DSS has not. [] Their ability to Architectural Vision
monitor activity at the application level, deal with Architecture Considerations:
the explosive growth in the number of devices,
and block increasingly sophisticated threats make As you plan your PCI segmentation strategy, it is important to understand the
next-generation firewalls a must-have. types of devices that will be considered in scope versus out of scope for PCI
DSS compliance. The following are some examples of device types that may
Verizon 2015 PCI Compliance Report exist in your environment:

TYPICALLY IN-SCOPE FOR PCI: TYPICALLY OUT-OF-SCOPE FOR PCI:

Tablet/Mobile POS: Merchants who collect credit Barcode Scanner: These devices typically do not
card payments via wireless tablets or mobile devices process credit card transactions and hence are
may consider such devices as in scope. usually out of scope.

POS PC: PCs or registers used as as points of sale Laptop/Office PC: Mobile wireless laptops used
may be considered in scope. in departments that do not process credit card
numbers are usually considered out of scope.

POS Server: Servers that receive credit card data

from POS devices and either transmit or store such Other Non-POS Server: Servers that do
data may be considered in scope. not process credit card numbers are usually
considered out of scope.

Phone: If you collect credit card numbers over the

phone, phones may be considered in scope.

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 4
USE CASE: Simplify PCI Compliance With Network Segmentation

Reference Architecture
The PCI Reference Architecture below outlines recommended zones of isolation for merchants, regardless of the size of the organiza-
tion. Security zones are logical containers for physical interfaces, VLANs, IP address ranges, or a combination thereof. The switch and
next-generation firewall icons in the diagram indicate the flexibility of using one, the other, or a combination of both types of devices to
enforce isolation all the way to the Ethernet jack, or access point.

IN SCOPE FOR PCI OUT OF SCOPE FOR PCI

POS POS Non-POS

Tablet/Mobile PC Server Barcode Oce PC Server
Access Point Laptop
POS Scanner
Phone

ZONE: Wireless POS ZONE: Wireless Data

Switch
ZONE: POS ZONE: Data

ZONE: Voice
Next-Generation
Firewall

Router

Data Center/WAN

Figure 3: PCI Reference Architecture

Implementation Overview
Products required:
Next-Generation Firewall
Threat Prevention Subscription
WildFire Subscription

How you will do it:

Determine the deployment method(s) you will use to insert next-generation firewalls into your environment:
Palo Alto Networks next-generation firewalls offer Layer 1 (Virtual Wire), Layer 2, and Layer 3 deployment modes on a single hardware
appliance, along with networking features, like static and dynamic routing capabilities, 802.1Q VLANS, trunked ports, and traffic shap-
ing. These capabilities allow network engineers to insert the network security platform into any existing architectural design without
requiring any configuration changes to surrounding or adjacent network devices.
The network security platform can sit in-line in front of or behind existing security appliances. Additionally, it can be deployed to
connect two or more networks together, bridge Layer 2 and Layer 3 networks, or provide full routing and connectivity of all networks
and sub-networks across the organization. Palo Alto Networks also offers the VM-Series next-generation firewalls in virtual form factor,
providing network segmentation within a virtualized server infrastructure.
Multiple management domains (see Figure 1) can be accommodated by taking advantage of the virtual systems capability that enables
separate, isolated Zero Trust virtual instances on a physical appliance. Virtual systems allow you to segment the administration of all
policies (security, NAT, QoS, etc.) as well as all reporting and visibility functions.

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 5
USE CASE: Simplify PCI Compliance With Network Segmentation

WAN and Internet

r
s e
er ld
rv ho
Se ard
C

e
ur
rs ce

s ct
se n

er ru
U ina

rv st
F

Se fra
In

t
en
s m
er p
or o

rv elo
w lt
ks
et A

Se ev
N alo

D
P
e
on
IZ
C
P

Figure 4: Segmented network with Palo Alto Networks isolates cardholder data

Next, define your PCI zones. Dont worry, its pretty straightforward.
Security zones are logical containers for physical interfaces, VLANs, IP address ranges, or a combination thereof. Security zones are
utilized in next-generation firewall security policies to clearly identify one or more source and destination interfaces on the platform.
Each interface on the firewall must be assigned to a security zone before it can process traffic. This allows organizations to create
security zones to represent different segments being connected to, and controlled by, the firewall. For example, security administrators
can allocate all cardholder or patient data repositories in one network segment identified by a security zone (like the Cardholder Data
Environment or CDE Zone). Then the administrator can craft security policies that only permit certain users, groups of users, specific
applications, or other security zones to access the CDE zone thereby preventing unauthorized internal or external access to the data
stored in that segment.

Figure 5: Options available when you select Create a Zone

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 6
USE CASE: Simplify PCI Compliance With Network Segmentation

Figure 6 shows the options available when you select Create a Zone. You need to associate the zone with at least one interface, and
select the Zone Protection Profile and Log Setting options. If you want to restrict or block access to the Zone by IP ranges, you can
complete the ACL options on the right side.
Once youve created your PCI zone, you need to define rules to allow/block access to it. Figure 3 shows an example of how easy it is for
administrators to define straightforward rules to control access to zones.
The first rule, titled PCI, allows users in the Users zone who are in the Finance Active Directory security group to access the
Oracle application in the CC_Servers zone.
The second rule blocks any other users from accessing the CC_Servers zone and logs them.

Figure 6: Two example rules to isolate and protect cardholder data in CC_Servers Zone

Figure 7: Step-by-step screenshots showing creation of two rules to isolate and protect cardholder data in a PCI Zone

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 7
USE CASE: Simplify PCI Compliance With Network Segmentation

Actual Customer Deployment:

Deploying NGFW in Layer 3 Mode to Reduce Scope of PCI Compliance

Internal Zone
Non-POS PA-7050
Devices in L3 mode
VL9
0

VL90

PCI Zone
POS Devices VL170
Internet
Distribution Core Switches Edge PA-5050 Public Routers
0 Switches in L3 mode
17
VL

PA-7050
in L3 mode

ZONE VLAN(s) Description

Internal Zone VL90 Internal Zone includes VL90 which contains all non-POS
PCI Zone VL170 PCI Zone contains VL170 which contains all POS devices

The above diagram shows how an actual customer, a hospital, deployed next-generation firewalls to isolate point-of-sale devices from
the rest of their network and effectively reduce the scope of compliance to include only the devices within the PCI Zone.
The customer architecture incorporates two redundant PA-7050s in Layer 3 mode hanging off a Cisco distribution switch. A PCI zone
is configured in the NGFW to include VL170, which contains all the POS devices. The customer used several other zones to isolate
various devices on their network, but for simplicity, we will only show the internal and PCI zones. The internal zone is configured in the
NGFW to include VL90, which is the primary internal network where non-POS devices connect. Traffic between the internal and PCI
zones is controlled by a PCI Security Policy defined in PAN-OS.

Actual Customer Deployment:

Using GlobalProtect, VM-Series NGFW, and AWS to Reduce the Scope of PCI Compliance

Fueling Stations Amazon Web Services Virtual Private Cloud Customer Data Center
Customers clients with self-managed IT On Premise

GP Policies dened in NGFW to allow

GP diagnostics to pass but block
cardholder data from entering
their on premise data center
Location 1 OSP
GlobalProtect
Windows PC
Gateway in AWS
GP
GP East Region

Cardholder Data Blocked

GlobalProtect
Location 2 OSP
GP GP and VM-Series
NGFW in AWS Data collection servers
Windows PC
Central Gateway within customer data center
used to analyze diagnostic
info from OSPs
GlobalProtect
Location 3 OSP Gateway in AWS
Windows PC West Region

The above diagram shows how an actual customer, providing fuel management system monitoring services, deployed GlobalProtect and
VM-Series virtualized next-generation firewalls into Amazon Web Services (AWS) to prevent cardholder data from entering their own
network and, hence, removed their network from the scope of PCI.
The customer monitors underground tanks and lines at thousands of retail fuel stations across the U.S. Using advanced statistical analy-
sis and system diagnostics, the company ensures the accuracy of all consumption readings and proactively identifies tank systems at risk
of leaks, illegal siphoning, or other potentially hazardous situations. The customer installs remote data collection devices on each fuel
stations local network. These devices are minimally configured network appliances called on-site processors (OSPs). The OSPs collect
data from every dispenser, tank and line at the station and transmit it back to the customers data center for analysis and reporting.
The customer architecture incorporates virtual GlobalProtect Gateways in AWS for geographical optimization (one for the East region,
one for the West) and a VM-Series NGFW to block threats and cardholder data from entering their network. By preventing cardholder
data from entering their own network, they excluded their data center from the scope of PCI compliance.

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 8
USE CASE: Simplify PCI Compliance With Network Segmentation

Advice and Next Steps

No single vendor or solution can provide complete compliance with the Payment Card Industry Data Security Standard. What merchants
require instead is a thorough set of policies, processes and practices including network segmentation supported by an essential set
of technological countermeasures to enforce them. Regardless of how you choose to implement Palo Alto Networks Next-Generation
Security Platform in your environment, you can be sure that the flexibility of integration options will facilitate a smooth implementation
of controls that help you meet and exceed PCI DSS requirements.
Now that you understand whats involved as you prepare to deploy Palo Alto Networks Next-Generation Firewall to enhance your PCI
compliance, go ahead and get started:
PAN-OS Administrators Guide
https://www.paloaltonetworks.com/documentation

Customer References:

Palo Alto Networks provides exactly what CRHC was

looking for. While the original reason for looking at
Palo Alto Networks was PCI compliance which has been
achieved the benefits provided far exceed compliance.

Partitioning the network and the PCI area specifically

was one of the reasons b ehind the selection of
Palo Alto Networks. It enabled the company to
manage this a spect autonomously without the need for
assistance of specialists, leaving these free to support
Europ Assistance during the certification stage.

Palo Alto Networks enabled us to achieve PCI

compliance and secure the key data of our customers
at approximately 10-15% less in costs.

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 9
USE CASE: Simplify PCI Compliance With Network Segmentation

Appendix

PCI Security Requirements Supported by the Palo Alto Networks Next-Generation Security Platform
The Palo Alto Networks platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the
following tables. All references made in this paper to specific requirements are based on PCI DSS version 3.1.

Compliance Capabilities

NEXT-GEN
PCI DSS REQUIREMENT FIREWALL WILDFIRE TRAPS
Requirement 1:
Install and maintain a firewall configuration to protect cardholder data

Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security
parameters
Requirement 3:
Protect stored cardholder data

Requirement 4:
Encrypt transmission of cardholder data across open, public networks

Requirement 5:
Protect all systems against malware and regularly update antivirus software or
programs

Requirement 6:
Develop and maintain secure systems and applications

Requirement 7:
Restrict access to cardholder data by business need to know

Requirement 8:
Identify and authenticate access to system components
Requirement 9:
Restrict physical access to cardholder data
Requirement 10:
Track and monitor all access to network resources and cardholder data

Requirement 11:
Regularly test security systems and processes

Requirement 12:
Maintain a security policy that addresses information security for
all personnel

Figure 8: Next-Generation Security Platform PCI DSS compliance capabilities

Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 10
USE CASE: Simplify PCI Compliance With Network Segmentation
IX. APPENDIX 1: PCI SECURITY REQUIREMENTS SUPPORTED BY THE PALO ALTO NETWORKS NEXT-GENERATION
SECURITY PLATFORM
The Palo Alto Networks platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the
following table. All references made in this paper to specific requirements are based on PCI DSS 3.1.
PCI DSS REQUIREMENT
Requirement 1:
Install and maintain a firewall
configuration to protect
cardholder data
Requirement 2:
Do not use vendor-supplied
defaults for system passwords and
other security parameters
Requirement 3:
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder
data across open, public networks
Requirement 5:
Protect all systems against
malware and regularly update
anti-virus software or programs
Requirement 6:
Develop and maintain secure
systems and applications
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation
SUPPORTED SUB-
REQUIREMENTS DESCRIPTION OF CAPABILITIES
1.2, 1.2.1, 1.2.3, 1.3, The Palo Alto Networks portfolio of hardware and virtual next-generation
1.3.1, 1.3.2, firewalls enables definitive least-privileged access control (i.e., deny all
1.3.3, 1.3.4, 1.3.5, applications, users and content except for that which is necessary) for
1.3.6, 1.3.7, all networks involving cardholder data. Palo Alto Networks supports all
1.3.8 sub-requirements pertaining to DMZ implementations intended to prohibit
direct public access between the internet and any CDE system.
2.3 The intent behind Requirement 2 is to implement sufficient preventive
controls to reduce the attack surface. These controls include changing
vendor passwords; enabling only necessary services, protocols and
daemons; and removing unnecessary functionality, such as scripts, drivers,
features, subsystems, file systems, and web servers. For a relatively complex
cardholder data environment, there are potentially thousands of instances
in which unnecessary services, unnecessary functionality, and insecure
services could operate.
Traps provides an automated preventive control capability to reduce risks
associated with threat vectors or attack points. The unique approach
employed by Traps ensures that, even if unnecessary services are running,
vulnerabilities in those services cannot be exploited. Traps will block the
exploit technique and prevent any malicious activities from occurring.
Insightful forensics evidence is collected to support incident response
processes or further investigative activities. With Traps operating in the
CDE, organizations can reduce their risk to a level more in-line with the
business risk tolerance position.
n/a This requirement focuses on reducing the amount of cardholder data stored
and ensuring that stored data is appropriately masked and encrypted.
Encryption alone does not protect against malware that scrapes the
unencrypted cardholder data from memory. Traps prevents exploits and
malware from launching malicious code that would try to compromise
encryptions keys or cardholder data. If key management processes do break
down, Traps provides an effective compensating control for PCI DSS
Section 3.6.
4.1, 4.2 Standards-based IPsec VPNs are supported for secure site-to-site
connectivity, while GlobalProtect delivers secure remote access for
individual users via either an TSL or IPsec-protected connection. With
its unique application, user and content identification technologies, the
Palo Alto Networks platform is also able to thoroughly and reliably control
the use of potentially risky end-user messaging technologies (e.g., email,
instant messaging, and chat) down to the level of individual functions (e.g.,
allow messages but disallow attachments and file transfers).
n/a The Palo Alto Networks security platform includes advanced endpoint
protection that provides a much-needed complement to legacy antivirus
solutions that are largely incapable of providing protection against unknown
malware, zero-day exploits, and advanced persistent threats (APTs).
6.6 As a fully application-aware solution, Palo Alto Networks Next-Generation
Security Platform is capable of preventing a wide range of application-layer
attacks that have, for example, taken advantage of improperly coded or
configured web apps.
11
USE CASE: Simplify PCI Compliance With Network Segmentation

SUPPORTED SUB-
PCI DSS REQUIREMENT REQUIREMENTS DESCRIPTION OF CAPABILITIES

Requirement 7:
Restrict access to cardholder data
by business need to know
7.2, 7.2.1, 7.2.3 Granular, policy-based control over applications, users and content,
regardless of the users device or location, enables organizations to
implement definitive, least-privileged access control that truly limits access
to cardholder data based on business need to know, with deny all for
everything else. Tight integration with Active Directory and other identity
stores, plus support for role-based access control, enables enforcement of
privileges assigned to individuals based on job classification and function.

Requirement 8: 8.1, 8.1.1, 8.1.3, Native capabilities and tight integration with Active Directory and other
Identify and authenticate access to 8.1.4, 8.1.6, identity stores support a wide range of authentication policies, including:
system components 8.1.7, 8.1.8, 8.2, use of unique user IDs, immediate revocation for terminated users, culling
8.2.1, 8.2.3, of inactive accounts, lockout after a specified number of failed login
8.2.4, 8.2.5, 8.3, 8.5, attempts, lockout duration, idle session timeouts, and password reset and
8.6 minimum strength requirements. Support is also provided for several forms
of multi-factor authentication, including tokens and smart cards.

Requirement 9: n/a n/a

Restrict physical access to
cardholder data

Requirement 10:
Track and monitor all access
to network resources and
cardholder data
10.1, 10.2, 10.2.1, Palo Alto Networks Next-Generation Security Platform maintains
10.2.2, 10.2.3, extensive logs/audit trails for WildFire, configurations, system changes,
10.2.4, 10.2.5, 10.2.6, alarms, traffic flows, threats, URL filtering, data filtering, and Host
10.2.7, 10.3, Information Profile (HIP) matches. The solution also supports both daily
10.3.1, 10.3.2, 10.3.3, and periodic review of log data with both native, customizable reporting
10.3.4, capabilities and the ability to write log data to a syslog server for archival
10.3.5, 10.3.6, 10.4, and analysis by third-party solutions (including popular security event and
10.6, 10.6.1, information management systems, such as Splunk).
10.6.2, 10.6.3,

Requirement 11: 11.4 Palo Alto Networks Next-Generation Security Platform fully inspects all
Regularly test security systems allowed communication sessions for threat identification and prevention. A
and processes single, unified threat engine delivers intrusion prevention (IPS), stream-
based antivirus prevention, and blocking of unapproved file types and
data. The cloud-based WildFire engine extends these capabilities further
by identifying and working in conjunction with on-premise components
to prevent unknown and targeted malware and exploits. The net result is
comprehensive protection from all types of threat in a single pass of traffic.

Requirement 12: n/a n/a

Maintain a security policy that
addresses information security for
all personnel

4401 Great America Parkway
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.
com/company/trademarks.html. All other marks mentioned herein may be trademarks
of their respective companies. pci-compliance-with-network-segmentation-uc-090116