stackoom
  简体   繁体   中英

PCI DSS Compliance when extracting data for analysis

 原文  2022-01-08 20:20:21       amazon-web-services/ apache-kafka/ pci/ pci-compliance

Question

Here's the scenario: I've got 2 subnets. 1 is PCI DSS Compliant and the other one is not. Can I extract data to process on Kafka from the PCI compliant subnet into the non-compliant one?

tl;dr Data that has to be analysed is on the compliant subnet. Kafka is located on the non-compliant subnet.

2 answers

solution1
 0  2022-01-08 20:37:17

PCI DSS doesn't really care what technologies you're using, so the fact that Kafka is involved makes no difference. All that matters is whether the data you are processing includes payment details which would make PCI DSS apply.

If it does, anything that processes that data must be PCI DSS compliant. If you can 100% guarantee that it doesn't, then PCI DSS doesn't apply.

Logically, if the first was not the case, all protections would be meaningless, because an attacker could ignore the protected servers and get the same data from the unprotected ones; if the second was not the case, you would never be able to know if a payment had been made, because the secured servers wouldn't be able to send you that data.

solution2
 0  2022-01-08 20:48:11

If you are accessing your PCI DSS Compliant subnetwork ( cde-subnet ) from your non compliant subnetwork ( non-cde-subnet ) then the non-cde-subnet is considered Connected to and/or Security Impacting System because it meets below criteria:

System component is on a different network (or
subnet or VLAN), but can connect to or access the
CDE (e.g., via internal network connectivity).

Following the PCI documentation:

The following scoping concepts always apply:
 - Systems located within the CDE are in scope, irrespective of their functionality or the reason why they
are in the CDE.
 - Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or
the reason they have connectivity to the CDE.
 - In a flat network, all systems are in scope if any single system stores, processes, or transmits account data

Docs: https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf

You can either move Kafka to pci compliant subnet or you need to make some changes to your currently non compliant subnet.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Serverless PCI-DSS Compliance Amazon EC2 Cloud PCI Compliance Account Lockout Policy in AWS as per PCI-DSS Requirement 8 Internal Vulnerability Scan and Pen testing on Elastic Beanstalk for PCI DSS Which SSL ciphers for PCI compliance on Amazon AWS ELB? QuickSight Data Analysis Probelm How do I set up alerts on AWS instances to let me know when my data analysis is complete? Extracting data in AWS DynamoDB with swift Costs associated with Data Analysis (data cleaning) on the cloud Is AWS DynamoDB fit for data collecting and analysis app?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM