Here's the scenario: I've got 2 subnets. 1 is PCI DSS Compliant and the other one is not. Can I extract data to process on Kafka from the PCI compliant subnet into the non-compliant one?
tl;dr Data that has to be analysed is on the compliant subnet. Kafka is located on the non-compliant subnet.
On
PCI DSS doesn't really care what technologies you're using, so the fact that Kafka is involved makes no difference. All that matters is whether the data you are processing includes payment details which would make PCI DSS apply.
If it does, anything that processes that data must be PCI DSS compliant. If you can 100% guarantee that it doesn't (and that it can't), then PCI DSS doesn't apply.
Logically, if the first was not the case, all protections would be meaningless, because an attacker could ignore the protected servers and get the same data from the unprotected ones; if the second was not the case, you would never be able to know if a payment had been made, because the secured servers wouldn't be able to send you that data.
Note that this only applies if the data is pushed out from the compliant subnet. If Kafka can "reach in" and pull data, it is probably in scope even if it doesn't under normal circumstances pull payment data, because the connection could theoretically be subverted by an attacker.
If you are accessing your PCI DSS Compliant subnetwork (
cde-subnet) from your non compliant subnetwork (non-cde-subnet) then thenon-cde-subnetis considered "Connected to and/or Security Impacting System" because it meets below criteria:Following the PCI documentation:
Docs: https://www.pcisecuritystandards.org/documents/Guidance-PCI-DSS-Scoping-and-Segmentation_v1.pdf
You can either move Kafka to pci compliant subnet or you need to make some changes to your currently non compliant subnet.