Software-defined WAN (SD-WAN) is increasingly popular among organizations struggling with costly and inefficient WAN architectures. Leveraging software-defined techniques to virtualize the WAN and prioritize traffic in real time, SD-WAN enables organizations to reduce their reliance on expensive MPLS links while gaining greater performance and flexibility. SD-WAN also makes it easy to set up secure site-to-site connections between headquarters and remote locations.
However, if your organization processes payment card data, you need to consider how SD-WAN may impact compliance with the Payment Card Industry Data Security Standard (PCI DSS). Here are five questions you should ask before implementing SD-WAN.
How Does SD-WAN Impact PCI Scope?
PCI DSS provides very specific parameters on what elements of the IT infrastructure are “in scope” for PCI compliance, particularly when it comes to devices that could impact your cardholder data environment (CDE). Many SD-WAN solutions use physical edge or gateway devices to create a virtual network at the perimeter of your CDE, replacing or layering on top of existing customer-premises equipment (CPE).
It goes without saying that the introduction of any new device can affect PCI scope. In addition, SD-WAN may also change the cardholder data flow, which will also require you to re-evaluate what’s in scope for PCI.
Is SD-WAN a Replacement for Point-to-Point Encryption?
You’d think that by using SD-WAN to transmit cardholder data, you are compliant with PCI Requirement 4. After all, there’s end-to-end encryption across both private and public networks and the secure communication between endpoints is authenticated.
Unfortunately, SD-WAN solutions have not met PCI specifications for point-to-point encryption. The security services offered through SD-WAN fall short in providing:
- A PCI-approved point-of-interaction (POI) device
- A PCI-approved application loaded on the POI
- An encryption key management process
If you’re still not convinced, do your homework. Go to the PCI SCC website and review the P2PE guidance material.
How Does SD-WAN Affect the Security of the CDE?
Traditional firewalls and edge routers (with access lists) provide security in depth. A firewall or router sitting in front of the CDE offers network segmentation, traffic filtering, stateful inspection, and even unified threat management capabilities. Since the advent of PCI DSS, these devices have commonly been known as the edge or perimeter of your CDE.
The same considerations apply to SD-WAN solutions that use physical edge or gateway devices to facilitate the virtual WAN. You need to assess the services delivered through these devices in terms of security and PCI requirements. Does the SD WAN device have a built-in stateful inspection firewall and intrusion prevention capabilities? Does it allow for network segmentation?
Does SD-WAN Add a Cloud Component to the CDE?
Some SD-WAN solutions use a shared, cloud-based network to prioritize traffic and make routing decisions. If payment card data is processed, stored or transmitted in the cloud, the service provider’s infrastructure and your use of that infrastructure must be validated for PCI DSS compliance. You may allocate responsibility for managing security controls to the service provider, but you’re ultimately responsible for ensuring the provider is PCI DSS compliant. This may come in the form of a Attestation of Compliance (AoC) from the provider; otherwise they will need to be included in your PCI assessment.
The PCI DSS Cloud Computing Guidelines provide the framework for how the shared responsibility model impacts various PCI DSS requirements. While there are no examples specific to SD-WAN, you should assess these considerations in the context of your chosen SD-WAN solution.
Is a PCI Responsibility Matrix Required for SD-WAN?
A number of carriers are now offering managed SD-WAN services, and Gartner predicts 25 percent growth in this segment of the market. In terms of PCI, the carrier will be categorized as a service provider and required to produce a Report on Compliance and AoC, or a Self-Assessment, depending on the service provider level.
PCI Requirement 12.8 will need to be clearly addressed in a responsibility matrix provided by the SD-WAN service provider. You should understand the SD-WAN services that are being delivered and know to what extent the service provider is responsible for the security of your cardholder data.