PCI DSS Network Segmentation Guide
Reduce your PCI DSS assessment scope by up to 70% through proper network segmentation β isolating the cardholder data environment from the rest of your corporate network.
Effective segmentation is the single most impactful scope reduction technique available to merchants and service providers.
Network segmentation in PCI DSS isolates the cardholder data environment from the rest of the corporate network, reducing the systems in scope for assessment. While not a PCI DSS requirement itself, effective segmentation is the single most impactful scope reduction technique β often reducing assessment scope and cost by 50 to 70 percent.
What Is Network Segmentation in PCI DSS?
Network segmentation is the practice of dividing a computer network into smaller, isolated sub-networks to restrict access to the cardholder data environment (CDE). In PCI DSS, segmentation controls create boundaries between the CDE and all other network segments, ensuring that only authorised systems and users can communicate with systems that store, process, or transmit cardholder data.
Segmentation is not about preventing all access to the CDE β it is about controlling and monitoring the access points. Legitimate traffic such as payment processing, administrative access, and monitoring must still flow to and from the CDE. The goal is to ensure that only explicitly authorised traffic crosses the segmentation boundary, and that all cross-segment traffic is logged and monitored.
It is important to distinguish between segmentation and isolation. Segmentation controls access using firewall rules, ACLs, and monitoring at defined boundaries. Isolation (air gapping) eliminates all connectivity between environments. Both reduce scope, but segmentation is far more common in practice because most organisations need some connectivity between the CDE and supporting systems.
Segmentation Methods
| Method | Description | Effectiveness | Common Use Case |
|---|---|---|---|
| VLANs (with ACLs) | Virtual LANs separate broadcast domains at Layer 2, while access control lists on switches and routers restrict inter-VLAN traffic. VLANs alone are insufficient β they must be paired with enforced ACLs or firewall rules to qualify as segmentation under PCI DSS. | Moderate | Internal network segmentation within a single physical site where firewall rules augment VLAN boundaries. |
| Firewalls | Stateful inspection firewalls placed at segment boundaries enforce granular allow/deny rules based on source, destination, port, and protocol. Firewalls provide the strongest traditional segmentation control and are the most commonly validated method by QSAs. | High | Primary segmentation control between CDE and corporate networks. Required when VLANs or cloud constructs are used. |
| Micro-segmentation | Software-defined segmentation at the workload level using host-based agents or hypervisor-level controls. Each system or application has individually enforced security policies, providing East-West traffic control within a network segment. | Very High | Data centres and virtualised environments where granular workload-to-workload isolation is needed beyond traditional perimeter controls. |
| Cloud VPCs / Security Groups | Virtual Private Clouds create logically isolated network environments in public cloud. Security groups and network ACLs (NACLs) control inbound and outbound traffic at the instance and subnet level respectively. | High | Cloud-native environments on AWS, Azure, or GCP where CDE workloads run alongside non-CDE infrastructure. |
| Air Gap / Physical Isolation | Complete physical separation of networks with no logical or physical connectivity between the CDE and other environments. The most secure form of segmentation, but operationally expensive and difficult to maintain at scale. | Maximum | High-security environments processing large volumes of cardholder data where operational overhead is justified by risk reduction. |
Segmentation Testing Requirements
PCI DSS Requirement 11.4.5 mandates penetration testing of segmentation controls to verify their effectiveness. Service providers must conduct this testing every 6 months, while merchants must test annually. This testing is separate from the general network penetration test and specifically targets the segmentation boundaries.
Segmentation penetration testers look for several key indicators: whether traffic can traverse segmentation boundaries without being blocked, whether firewall rules are overly permissive, whether management protocols (SSH, RDP, SNMP) allow cross-segment access, and whether any systems bridge multiple segments without adequate controls. Testers attempt to access CDE systems from non-CDE network segments using a variety of techniques.
Common test failures include: firewall rules that allow βanyβ source or destination traffic, management VLANs with unrestricted access to CDE systems, misconfigured security groups in cloud environments allowing broader access than intended, and network changes that were made after the last segmentation test but before the current assessment period.
Key point: Segmentation testing must be performed after any changes to segmentation controls or the network architecture. A change made between scheduled tests requires an additional test to validate the controls remain effective.
How Segmentation Reduces Scope and Cost
Without Segmentation
In a flat network without segmentation, every system that shares the same network as the CDE is considered in scope for PCI DSS assessment. This includes:
- All servers, workstations, and network devices on the network
- All applications running on in-scope systems
- All users with access to any in-scope system
- All third-party connections to the network
- Full vulnerability scanning and penetration testing of all systems
With Segmentation
With proper segmentation, only the CDE and systems directly connected to it are in scope. Everything outside the segmentation boundary is excluded:
- Only CDE systems and connected-to systems are assessed
- Significantly fewer applications require PCI DSS controls
- Reduced number of users requiring access reviews and MFA
- Smaller vulnerability scan and penetration test scope
- Assessment time reduced by 50β70%, proportional cost savings
Common Segmentation Mistakes
Using VLANs alone without firewall rules
VLANs provide Layer 2 separation but do not enforce access control on their own. Without firewall rules or ACLs restricting inter-VLAN traffic, a compromised system on one VLAN can reach the CDE. QSAs will not accept VLANs alone as adequate segmentation.
Not testing segmentation controls every 6 months
Service providers must conduct segmentation penetration testing every 6 months per Requirement 11.4.5. Many organisations only test annually, creating a compliance gap. The 6-month requirement applies regardless of whether the segmentation architecture has changed.
Allowing broad management network access to CDE
Jump servers, management VLANs, and admin workstations with access to both CDE and corporate networks effectively bridge the segmentation boundary. Any system with connectivity to both environments is in scope and must be hardened accordingly.
Not segmenting wireless networks from the CDE
Wireless networks that share the same network segment as the CDE bring all wireless-connected devices into scope. Guest Wi-Fi, corporate wireless, and IoT devices must be segmented from the CDE using firewall rules, not just separate SSIDs.
Segmentation Implementation Checklist
Complete each step to establish and validate effective network segmentation for your cardholder data environment.
How GRCTrack Helps
Related PCI DSS Resources
Validate Your Network Segmentation
Use GRCTrack to document, track, and validate your network segmentation controls β ensuring your CDE boundaries hold up under assessment.