The Payment Card Industry Data Security Standard (PCI DSS) regulates how organizations handle cardholder data. Managed by the PCI Security Standards Council, it sets 12 core requirements for securing the cardholder data environment (CDE), and organizations that fail to meet them can face fines, increased scrutiny, and even the loss of merchant status.

Network segmentation divides an IT environment by placing sensitive systems in separate networks, away from other infrastructure elements. In PCI DSS, network segmentation means isolating sensitive data and the systems that store, process, or transmit it, so fewer assets fall within scope—a practical way to protect cardholder data while reducing the number of system components subject to PCI DSS compliance. A reduced PCI DSS scope provides multiple benefits, including:

  • Lowering compliance costs;
  • Minimizing the attack surface;
  • Facilitating network segmentation;
  • Simplifying compliance efforts;
  • Reducing breach impacts.

For organizations and IT or security teams responsible for PCI DSS compliance, segmentation also strengthens day-to-day security operations. In flatter environments without clear boundaries, a compromise in one area can spread across the entire network; with segmentation, teams can focus controls, testing, and monitoring on the limited network segments that contain cardholder data. The sections that follow cover the practical work behind that approach, including data-flow mapping, network and asset inventory, physical and logical segmentation design, validation and testing, access control, third-party connections, documentation, reporting, and the maintenance of continuous compliance.

Cardholder Data Environment and Cardholder Data

The cardholder data environment comprises the people, processes, and technology used to store, process, or transmit cardholder or authentication data. The CDE defines the scope boundary used by PCI DSS to identify the systems and processes that must meet the security standards. The PCI DSS scope includes any system components on the same network, even if they do not directly interact with secure cardholder data, that can be used as a gateway to that sensitive information.

Organizations must protect specific elements of cardholder data to achieve PCI DSS compliance. The main data element is the Primary Account Number (PAN), the full 14 to 19-digit card number that identifies a cardholder’s account. Businesses that are not processing, transmitting, or storing the PAN are generally not subject to PCI DSS compliance. Teams must document the storage locations that contain PANs so they can be included in PCI DSS compliance efforts.

Additional data elements, such as the cardholder’s name, card expiration data, and service code, are considered cardholder data only when they are connected to the PAN. This information is not considered regulated data when stored away from the PAN. Systems that touch the PAN must meet compliance standards and should be located in the PCI DSS network segment. Applications and systems that only view truncated or tokenized PANs are typically outside of the PCI DSS scope.

Businesses must also protect the sensitive authentication data (SAD) associated with cardholder data. SAD includes information such as a card’s magnetic stripe, chip data, CVV security code, and PIN. SAD can never be stored, even if encrypted, and must be securely deleted after being processed.

Map Data Flows and Scope Cardholder Data

The first step in architecting a secure network for PCI DSS compliance is to map the way cardholder data flows across an organization’s IT systems. Teams must identify all systems and applications that handle cardholder data and determine whether they interact with the full PAN or with supplemental data that PCI DSS does not directly regulate. A company’s infrastructure and software assets can then be classified as either in scope or out of scope for PCI DSS protection.

Inventory Network Components and Modern Network Architectures

Organizations must inventory all physical and virtual network components and devices to identify those that transmit cardholder data. Companies with cloud environments must include all cloud services and resources that handle cardholder data to ensure the necessary security measures protect them. The inventory must include all containers and microservice endpoints that may require safeguarding with PCI DSS controls.

Design Principles for Implementing Network Segmentation and Data Security

Companies can implement PCI DSS network segmentation using either physical or logical methods.

Physical network segmentation

This approach uses dedicated hardware, such as switches, routers, firewalls, and servers, to isolate sensitive data and critical systems from the rest of the IT environment. Physical network segmentation offers the following advantages.

  • The lack of shared infrastructure provides stronger CDE isolation.
  • Misconfigured general network security controls do not provide access to the CDE.
  • It is easier to demonstrate compliance to a Qualified Security Assessor (QSA) to verify PCI DSS compliance.

The disadvantages of this segmentation method include:

  • Increasing IT expense for dedicated hardware;
  • Reducing flexibility and scalability to meet evolving business needs;
  • Potentially underutilized hardware in the CDE.

Logical network segmentation

Businesses can logically segment the cardholder data environment with software and configuration controls on shared physical infrastructure. Common methods of logical segmentation include:

  • Virtual Local Area Networks (VLANs);
  • Firewalls and strict access control lists (ACLs);
  • Software-defined networking (SDN);
  • Isolating workloads in virtual environments and containers.

The advantages of logical segmentation include reduced costs, increased flexibility, and enhanced scalability in cloud environments.

Companies that choose a logical segmentation approach must address several disadvantages.

  • A misconfiguration can expose the CDE to the broader IT environment.
  • Teams must continually test the environment and regularly monitor controls to ensure proper segmentation remains in place to protect the CDE.
  • It may be more difficult to demonstrate effective network isolation to a QSA due to the shared hardware.

Common network segmentation activities

Companies must perform several activities regardless of the method they use to implement network segmentation, and strong segmentation efforts begin by limiting exposure within the environment.

  • Organizations should reduce the CDE’s attack surface by eliminating unnecessary components within the segmented environment.
  • Teams must develop and enforce least-privilege access controls to restrict unauthorized users from the environment.
  • Cardholder data must be encrypted when transmitted over a network, and at rest when stored in on-premises or cloud storage solutions.

PCI DSS compliance supports both methods and requires that the segmentation process be adequate, verified, and maintained to ensure ongoing compliance over time. Teams must test segmentation controls at least annually and when the network experiences a substantial change. Logical segmentation may require stronger documentation to demonstrate that the controls meet PCI DSS compliance standards. QSAs will typically perform a more thorough examination of logical segments due to the risk of misconfigurations that could lead to data breaches.

Most modern environments, especially in small and medium-sized businesses, favor logical segmentation for its cost-effectiveness and flexibility. These companies must implement reliable network configurations to achieve PCI DSS compliance.

Implement Logical Network Segmentation: Step-by-Step

Companies should implement logical network segmentation of their PCI DSS scope by following these steps.

  1. Create an isolated CDE network segment with VLANs or Virtual Routing and Forwarding (VRF) solutions. The PCI DSS network segmentation should be based on the company’s prior data and network resource inventory.
  2. Implement and deploy dedicated firewalls at the boundaries between the CDE and all other segments and zones. These firewalls are essential for segregating the CDR from less critical systems and business processes.
  3. Design and implement access control lists to protect data traveling through Layer 3 routers or switches, rather than relying on dedicated firewalls. Inbound and outbound network traffic should be filtered using ACLs, and denied attempts should be logged for review by the security team.
  4. Teams should enforce microsegmentation with granular, policy-based segmentation controls to protect against malicious east-west traffic moving laterally through the environment. Microsegmentation prevents granting access to additional CDE resources if threat actors compromise one system.
  5. PCI DSS network segmentation must be tested, verified, and documented to simplify compliance efforts. Teams should be prepared to provide a QSA with complete details of the company’s PCI DSS segmentation.

Deploy Intrusion Detection Systems and Continuous Monitoring

Companies should protect the CDE by deploying intrusion detection systems (IDS) at segment boundaries to deter threat actors from accessing sensitive data within the PCI DSS network. Effective network segmentation must include solutions to detect and respond to CDE incursions.

Alerts generated by the IDS should be integrated into the organization’s security information and event management (SIEM) solution so they can be addressed effectively to protect the segmented environment. Teams must implement continuous monitoring for CDE traffic, including external and internal access requests. Failed access attempts should be analyzed for patterns that may indicate the need for firewall or ACL changes.

Validate Segmentation: Testing and Penetration

Organizations must validate network segmentation by testing networks and document the results for an internal or external PCI DSS assessment. The following activities are essential for ensuring the validity of a PCI DSS segmentation.

  • Teams should perform annual penetration testing on the CDE and immediately address any identified vulnerabilities.
  • Firewall rule reviews must be conducted regularly for all paths into the CDE with appropriate changes made to strengthen network defense.
  • Companies should run internal and external network scans to verify that all sensitive data and systems are in the CDE.
  • Teams must verify that no unprotected paths to the CDE exist from out-of-scope systems.

Continuous Monitoring, Logging, and Incident Response

Companies must guard against data breaches that can undermine PCI DSS compliance and erode customer trust. Teams should implement automated tools to support monitoring, logging, and incident response for the CDE. Specific activities they can take include:

  • Centralizing logs for a complete view of CDE activity;
  • Defining and enforcing alerting thresholds for anomalies or suspicious behavior;
  • Testing incident response playbooks at least quarterly to ensure they remain effective.

Enhanced Security Controls and Access Controls

Teams must implement and enforce enhanced security controls to ensure that only authorized personnel can access systems and applications within the PCI DSS network segment. Companies should protect cardholder data with the following strong access control measures.

  • All individuals attempting to access the CDE should use multi-factor authentication (MFA). These stricter access controls are necessary to meet PCI DSS requirements and prevent intrusion by unauthorized entities.
  • Companies must limit access to the secure environment to a business-need-to-know basis. Access management is essential for effective network segmentation. Teams must implement role-based access controls for all users in the cardholder data environment.
  • Companies must implement strong cryptography to encrypt cardholder data both in transit over public networks and at rest. Teams must manage and protect encryption keys, including rotating them regularly and limiting access to authorized personnel.

Third-Party and Service Provider Considerations

Organizations need to control third-party and service provider access to the CDE. Teams must assess the level of vendor access to the CDE for business activities such as payment processing. Firewall rules should be leveraged to limit network paths that allow third-party access to systems that store cardholder data.

Companies should require segmentation evidence from service providers to support a PCI DSS audit. This evidence is for companies implementing logical segmentation with a cloud service provider (CSP).

Reporting, Documentation, and DSS Network Segmentation Evidence

Organizations must be prepared to pass a PCI DSS audit triggered by data breaches, major infrastructure changes, transaction volume, or business reclassification. Teams will need to provide QSAa with segmentation reports that demonstrate PCI compliance. They should periodically test networks and retain reports as audit evidence. QSAs will expect updated network diagrams and data flows that complete the CDE.

Tools, Automation, and Continuous Compliance

Teams should use advanced tools and automation to enhance security by enforcing firewall policies, performing intrusion detection, and streamlining incident response. Strong configuration policies should be automated and implemented to minimize misconfiguration that can expose sensitive data to threat actors.

Organizations should strive to maintain ongoing compliance through regularly scheduled automated compliance checks. Issues identified through regular monitoring of those checks and controls over time should be addressed promptly before they lead to data breaches. Companies must remain compliant with new requirements and protect the environment from evolving cyber threats.

Checklist: Implementing Network Segmentation for PCI DSS

The following checklist outlines the steps and practices discussed above to create a segmented cardholder data environment.

  • Map the flow of cardholder data.
  • Inventory network and infrastructure components.
  • Design a logical or physical segmentation strategy.
  • Implement the appropriate segmentation controls.
  • Verify the segmentation with complete testing.
  • Monitor the segmentation continuously and address vulnerabilities promptly.

Next Steps and Resources

Company decision-makers should draft a team and assign business and technical owners to the CDE segmentation project. Teams should conduct testing to reevaluate the environment after network or application changes. Businesses are encouraged to engage an independent QSA to validate the PCI DSS scope and network configuration.

Atlantic.net offers its customers PCI-compliant cloud and dedicated hosting solutions audited by a third-party QSA. Contact their team to learn more about protecting your sensitive cardholder data.