At the 2014 Community Meeting, the PCI SSC responded to a question about network segmentation with what has come to be termed the “Three Hop Rule”. The statement was made that if a device/system was “three hops or more” away from the cardholder data environment (CDE), then it was out of scope. A lot of us in the room were taken aback by this statement. And based on some questions of late regarding this subject, there is a lot of confusion out there regarding what the Council was trying to say.
First, the term “hop” is not a network security term nor does it even have any security implications. The term “hop” is defined as:
“Data packets pass through routers and gateways on the way. Each time packets are passed to the next device, a hop occurs.”
The count of three therefore is the number of hops or “hop count” between devices. Hop count is defined as:
“Each router along the data path constitutes a hop, as the data is moved from one Layer 3 network to another. Hop count is therefore a basic measurement of distance in a network.”
Nowhere in these definitions is there any statement about hops, the number of hops between devices and any correlation of hops and hop count as some form of security. Hence why a lot of us were really concerned about this statement and likely why there is so much confusion and discussion resulting from the comment.
What we believe the Council was getting at was the number of network segments there are between a device/system and the CDE. However, having three network layers between the CDE and devices/systems is also no guarantee of security.
What provides security at Layer 3 are the access control lists (ACL) or rules that allow or deny packets to traverse particular paths of the network. ACLs can be implemented to control what devices and/or ports and services can communicate between various networks. But just because there are ACLs implemented at each hop is also no guarantee that the number of hops between devices also secure the devices.
This is why the requirements in requirement 1 of the PCI DSS require that the QSA review all relevant ACLs to ensure that the network is truly segmented. It is also why in v3, requirement 11.3 requires that the penetration testing also prove that the network is truly segmented. As a result, the number of hops between the CDE and a device should not be considered a guarantee and never will be a guarantee that a device is out of scope.
The bottom line is that, in order to be truly out of scope, there needs to be ZERO hops between a device and the CDE.