What is PCI DSS Network Segmentation? (Quick Guide)

With cybersecurity threats becoming ubiquitous, network segmentation makes for an effective way for cloud-hosted companies that processes payment card data to secure access to sensitive cardholders’ data. While the Payment Card Industry Data Security Standard (PCI DSS) doesn’t mandate it, network segmentation allows organizations to prioritize and focus their security efforts by segmenting and isolating the networks and resources with cardholder data. 

What is PCI DSS network segmentation? What are its benefits? And more importantly, why and how should you do it are some of the questions we answer in this article. Read on to find out all this and much more on PCI DSS network segmentation.

Network Segmentation and PCI DSS Scoping

Before we talk about network segmentation, let’s quickly understand PCI DSS scope and how the two are related.

Three components define scope  – storage, processing, and transmitting cardholder data.  So, PCI DSS scope comprises the people, processes, and technologies that store, process, or transmit payment card details or cardholder data (CHD) on your network. CHD, therefore, constitutes any information that can be used to steal identity or make fraudulent card transactions. PCI DSS defines CHD as personally identifiable data associated with someone’s credit or debit card, including their primary account number (PAN), cardholder name, expiration date, service code, or sensitive authentication card data (such as CVV). 

So, how can you define your organization’s PCI DSS scope? The best approach to scoping for PCI DSS is to start with the assumption that everything is in scope until proven otherwise. Network segmentation is one of the ways to limit the scope of PCI DSS scope. 

Network segmentation divides your network into smaller sections, and separates portions of the network that handle CHD from the rest of your network. Further, it restricts access to each subnetwork through security controls such as passwords, access controls and other authentication methods. This reduces the scope and complexity of your PCI DSS assessment. 

In short, PCI segmentation isolates your cardholder data environment (CDE) from the rest of the network and unrelated systems. It disallows out-of-scope systems from interacting with the systems in the CDE. 

Network segmentation, when properly executed, doesn’t affect the security of the CDE, even if an attacker gets administrative access to an out-of-scope network. It, therefore, makes for a critical security strategy for organizations looking to protect cardholder data even as they reduce their PCI compliance scope.

Benefits of Implementing Network Segmentation

Is network segmentation a PCI DSS requirement? PCI DSS doesn’t mandate network segmentation. But it comes highly recommended. Apart from reducing the scope, it has unique advantages and helps you invest your security resources in the network segments that matter. Here are a few benefits of network segmentation.

Reduces the Cost, Complexity & Scope of PCI DSS

Traditionally, organizations have used network segmentation as a control to limit their PCI DSS in-scope environment and protect it from the rest of their IT infrastructure. By isolating the specific segments of your network infrastructure, such as the systems that store, process, or transmit cardholder data, network segmentation allows you to consolidate CHD into fewer and more controlled locations. 

Reduces Security Risks

PCI DSS Network segmentation helps reduce the number of exposure points to the cardholders’ data environment, and hence the security risks to your organization. It also secures your organization against insider threats by limiting access to critical segments of the network to a select few. In essence, it reduces your blast radius in the event of a hack or an attack.

Improves Monitoring 

A robust network segmentation makes a clear demarcation between out-of-scope and in-scope systems, leaving no overlap with the systems in CDE. This makes it easier for organizations to spot anomalies within each distinct network and log events, and monitor access. It helps improve your continuous compliance game.

Affords Greater Flexibility in the Choice of Security Controls

PCI DSS Network segmentation allows you to compartmentalize security controls and services for every subnetwork. This, however, doesn’t mean that out-of-scope infrastructure shouldn’t be secured. In fact, data breaches through out-of-scope infrastructure for gaining access to systems that eventually lead to CHD aren’t uncommon.

Network segmentation also gives organizations greater flexibility and choice in implementing security controls for their out-of-scope infrastructure. 

Improves Containment of Incidents

Since the networks are isolated from each other, network segmentation helps organizations contain incidents such as a breach more effectively. Incidents such as virus/malware outbreaks are also contained and don’t spread rampantly across the entire network.

Also read: To whom does PCI DSS apply to

Third-party User Segmentation and PCI DSS Compliance

Much like your PCI DSS scope that extends to even third-party entities, network segmentations must be implemented for your third-party users too. This means your vendors, remote service providers, and other third-party outsourcing partners must first be identified and then segmented based on their access to CDE to determine whether they are in-scope or not. You must then deploy the PCI DSS controls based on the in-scope third-party user segmentation to mitigate the risk of your vendor connections being used to compromise your organization’s CDE.

Disallowing blanket administrative privileges or limiting 24×7 access to your network are some of the ways you can mitigate the risk of attacks from your third-party users. Robust third-party user segmentation is key here. 

​​Examples of Third-Party Service Providers

Here are examples of the types of services and providers organizations typically work with: 

• Third-party service providers involved in the storage, processing, and/or transmission of your CHD,  such as businesses providing call center and customer contact services, e-commerce payment providers and businesses offering processing-gateway services, among others.  
• Organizations involved in securing cardholder data, such as businesses providing secure destruction of electronic and physical media, companies that transform cardholder data with tokenization or encryption, and e-commerce or mobile-application third parties that provide software as a service, to name a few.
• Point-of-sale companies involved with the installation, maintenance, monitoring, or support of their systems.
• Organizations involved in protecting cardholder data and CDE, such as managed firewall/router providers, and monitoring services for critical security alerts, such as intrusion-detection systems (IDS).
• Organizations that may have incidental access to CHD or the CDE, such as providers of managed IT delivery channels and services, companies providing software development and providers of maintenance services (for example, HVAC or cleaning services).

PCI Security Standard Council Information Supplement: Third-Party Security Assurance reports offers more guidance on managing third-party relationships. 

How to Segment a Network? (5 Steps)

Before we get to the steps of network segmentation, let’s take a moment to understand what it should achieve. Network segmentation should isolate out-of-scope system components from cardholder data environments such that even if they were compromised, it wouldn’t impact the security of the CDE.

With the end result being established, let’s divvy up the steps to achieve it.

1. Form a team to run point

It is a good practice to constitute a dedicated person/team that will run point on this exercise from its concept to completion. This person should have a complete overview and context of your organization and be privy to how card data flows in your organization.

2. Understand everything about how card data flows

Your team must make an inventory of the sensitive PCI data that is available to the organization as well as to those who have access to it. Additionally, it would help if your team spoke to function heads and process owners to understand the nuances of how CHD flows within your organization and the special instances when your employees are privy to it. For instance, your CX team might have access to the credit card numbers of customers taken during a particular transaction.

3. Make a data flow diagram

A picture speaks a thousand words. In fact, PCI DSS Requirements 1.1.2 and 1.1.3 mandate two different diagrams: one that identifies all connections between the CDE and other networks, including any wireless networks, and the other that shows all cardholder data flows across systems and networks.

Visually illustrating the location and flow of card data based on your team’s understanding makes a prerequisite step to identifying the in-scope networks and subnetworks that need to be isolated.

4. Decide your network segmentation

Your team must now classify the network, its subnetworks and access based on who needs to use it and the sensitivity of the account data it stores, processes, and transmits. The principle of least privilege makes a good starting point (give each resource only the minimum privileges needed to complete its task) to limit access and exposure to CDE.

PCI DSS requires cloud-hosted companies that process credit card data to maintain a secure network using a strong firewall configuration, and routers, if applicable. Remember not to use vendor-supplied default passwords and other security parameters. Encrypt all CHD using industry-standard algorithms and secure them in transit using transmission protocols such as TLS, and SSH to reduce the likelihood of sensitive data getting compromised by cybercriminals. There are 12 PCI DSS network requirements for certification.

5. Get your Network Segmentation Reviewed

You don’t know what you don’t know. Validating PCI DSS network segmentation is the next step. Therefore, as a practice, it’s a good idea to have Qualified Security Assessors (QSAs) review your network segmentation for PCI audit.

PCI Network Segmentation Best Practices

PCI DSS Network Segmentation is typically achieved by technologies and process controls that enforce separation between the CDE and out-of-scope systems. 

Determining the adequacy of your network segmentation, however, isn’t a straightforward affair. It is highly variable and depends on several factors, such as your network’s configuration, the processes and technologies deployed, and other controls you may have implemented. 

Even so, merely separating network segments doesn’t automatically create PCI DSS segmentation. You must deploy purpose-built PCI DSS controls and enforce separation such that hacks or compromises that originate from your out-of-scope network(s) do not find their way into your CHD.

Securing your CDE and CHD, therefore, isn’t an easy task. It requires multiple layers of protection. While you must meet PCI DSS requirements for successful certification, there is a lot more than can be done too. Some of the measures to consider for network segmentation are creating a Demilitarized Zone (DMZ) to filter out the traffic between the public and private internet, introducing logical segmentation such as VLAN and airgaps, routers with strong access control lists, Multifactor Authentication (MFAs) where needed, enterprise-level password managers, deploying endpoint protection, point-to-point encryption, and incorporating Security Information and Event Management (SIEM) tools for threat detection, log aggregation and event monitoring.

Perform penetration tests at least annually to verify the segmentation methods are operational and effective.

Who Benefits from the Adoption of Network Segmentation?

Network segmentation for PCI DSS is highly recommended for all organizations, regardless of size and scale. A robust network segmentation by your organization would have a far-reaching impact both upstream and downstream. Some of those who benefit from it include:

• Merchants, Service Providers, Card Issuers, and others who fall in the scope of PCI DSS Compliance
• Assessors, including external quality assurance assessors or internal security assessors
• Acquirers evaluating Merchants’ or Service Providers’ PCI DSS reports on compliance and self-assessments
• PCI Forensic Investigators (PFI) performing official investigations
• Consumers who entrust their data with Merchants and other Service Providers

Also read: PCI DSS Compliance Guide

How can Sprinto help you?

PCI DSS can become unwieldy if you don’t execute scoping and network segmentation correctly. Besides, improper scoping can put your business at risk. Therefore, PCI DSS scoping and segmentation requires meticulous planning at the design, implementation, and monitoring stage, and later too.

Sprinto’s automated security and compliance platform is built to navigate all this and much more in a logical, effortless and error-free way. With Sprinto, you can become PCI DSS audit-ready without spending a chunk of your time and effort on it. 

So, don’t wait up. Talk to us today to get started on your PCI DSS journey.