SD-WANs Can Boost PCI DSS Compliance

Flexible connectivity options, improved traffic optimization and increased automation are some of the reasons organizations become interested in software-defined wide-area networking (SD-WAN) technologies. Improved security and regulatory compliance are also increasingly important selling points.

SD-WANs offer important security benefits, including end-to-end encryption across any network type, simplified network segmentation and enhanced branch-office security. These factors and more can help companies meet the data-protection requirements of a number of government and industry regulations, including the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS establishes security standards for protecting cardholder data. Among other requirements, it mandates the encryption of stored data as well as data in transit from across the network. This has been difficult to accomplish in traditional WANs with hub-and-spoke architectures.

Traditional WANs with connections to multiple branch and remote locations have always been at particularly high risk of data breaches because of vulnerabilities at the network edge. Distributed locations often have no onsite IT support and lack much in the way of employee security awareness. Network connections may utilize virtual private networks (VPNs) or private cloud gateways, which aren’t always configured to encrypt data.

SD-WANs use standards-based encryption to secure and control all traffic from end to end, and all devices and components are fully authenticated. Because SD-WAN is designed to prioritize traffic, it also delivers high visibility into security measures through the statistical analysis of IP traffic, ports, and source and destination traffic. This improved visibility makes it possible to spot attacks faster.

SD-WAN also provides network functions virtualization (NFV), which virtualizes all network services. Rather than requiring IT to manage a number of appliances to provide WAN functions, SD-WAN brings these functions to one device where they can be centrally managed and deployed. This capability makes it simple to incorporate next-generation firewalls (NGFW) and unified threat management (UTM) to dramatically improve edge security.

One of the strongest PCI DSS security capabilities of SD-WAN is network segmentation, which allows credit card data and the systems that process, transmit and store that data to be isolated from the rest of the corporate network. In the event of some sort of network breach, segmentation can help control the damage by limiting it to a manageable area.

Segmentation is simplified in SD-WANs because they are controller-based networks. The controller is a central management piece that assigns policy and establishes priorities and criteria that are propagated throughout a segment of the network. Each point-to-point network segment in an SD-WAN is limited to the characteristics defined by the controller.

Not only does segmentation provide a barrier for cardholder data, it can reduce the physical scope of compliance. PCI DSS requirements apply to “all system components included in or connected to the cardholder data environment.” That covers a lot of ground in a traditional WAN without segmentation. SD-WAN segmentation can help reduce the number of physical devices involved, alleviating some of compliance burden.

Cardholder data is obviously an enticing target for cybercriminals. In just the past few weeks, data breaches have exposed cardholder data at Trump International, Hard Rock and Loews hotel chains, B&B Theaters and thousands of California realtors. According to a study commissioned by IBM, these breaches cost retailers roughly $170 per stolen record. While breaches are bound to happen, SD-WAN technologies can reduce the risk and improve regulatory compliance.