Here's the scenario: I've got 2 subnets. 1 is PCI DSS Compliant and the other one is not. Can I extract data to process on Kafka from the PCI compliant subnet into the non-compliant one?
tl;dr Data that has to be analysed is on the compliant subnet. Kafka is located on the non-compliant subnet.
If you are accessing your PCI DSS Compliant subnetwork (cde-subnet) from your non compliant subnetwork (non-cde-subnet) then the non-cde-subnet is considered "Connected to and/or Security Impacting System" because it meets below criteria:
System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity).
Following the PCI documentation:
The following scoping concepts always apply:
- Systems located within the CDE are in scope, irrespective of their functionality or the reason why they are in the CDE.
- Similarly, systems that connect to a system in the CDE are in scope, irrespective of their functionality or the reason they have connectivity to the CDE.
- In a flat network, all systems are in scope if any single system stores, processes, or transmits account data
Docs: https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf
You can either move Kafka to pci compliant subnet or you need to make some changes to your currently non compliant subnet.