1

Here's the scenario: I've got 2 subnets. 1 is PCI DSS Compliant and the other one is not. Can I extract data to process on Kafka from the PCI compliant subnet into the non-compliant one?

tl;dr Data that has to be analysed is on the compliant subnet. Kafka is located on the non-compliant subnet.

prl
  • 11,716
  • 2
  • 13
  • 31
Ton
  • 33
  • 1
  • 4

2 Answers2

6

If you are accessing your PCI DSS Compliant subnetwork (cde-subnet) from your non compliant subnetwork (non-cde-subnet) then the non-cde-subnet is considered "Connected to and/or Security Impacting System" because it meets below criteria:

System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity).

Following the PCI documentation:

The following scoping concepts always apply:

  • Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.
  • Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.
  • In a flat network, all systems are in scope if any single system stores, processes, or transmits account data

Docs: https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf

You can either move Kafka to pci compliant subnet or you need to make some changes to your currently non compliant subnet.

IMSoP
  • 89,526
  • 13
  • 117
  • 169
mlewinska
  • 276
  • 1
  • 6
4

PCI DSS doesn't really care what technologies you're using, so the fact that Kafka is involved makes no difference. All that matters is whether the data you are processing includes payment details which would make PCI DSS apply.

If it does, anything that processes that data must be PCI DSS compliant. If you can 100% guarantee that it doesn't (and that it can't), then PCI DSS doesn't apply.

Logically, if the first was not the case, all protections would be meaningless, because an attacker could ignore the protected servers and get the same data from the unprotected ones; if the second was not the case, you would never be able to know if a payment had been made, because the secured servers wouldn't be able to send you that data.

Note that this only applies if the data is pushed out from the compliant subnet. If Kafka can "reach in" and pull data, it is probably in scope even if it doesn't under normal circumstances pull payment data, because the connection could theoretically be subverted by an attacker.

IMSoP
  • 89,526
  • 13
  • 117
  • 169
  • If Kafka can "reach in" and pull data then this connectivity is in scope for PCI DSS and all applicable PCI DSS requirements apply to secure that connection or access. – mlewinska Jan 09 '22 at 01:07