Compliance

Network segmentation's role in PCI DSS


PCI DSS network segmentation cover

PCI-DSS is the set of security standards that seeks to extend consistent data protection practices across the credit processing industry. Any organization handling credit card data must comply with PCI-DSS regulations.

PCI-DSS compliance places a major burden on businesses, especially small and medium-sized enterprises. But companies can reduce the cost of compliance by intelligently scoping their credit processing environment.

Segmentation allows IT teams to apply network segmentation to protect credit card data while reducing the need to secure less critical system components.

This blog will introduce network segmentation in PCI-DSS. We will look at how segmentation works and how it contributes to robust financial sector cybersecurity strategies.

What is network segmentation?

Network segmentation separates network resources to control access and enhance security. In the context of PCI-DSS, network segmentation divides the cardholder data environment (CDE) from other system components.

Separating the cardholder data environment from other resources allows businesses to secure cardholder data. This is a major challenge of cybersecurity in financial services. With proper segmentation, hackers will struggle to move from off-scope endpoints and apps to the CDE. Data breaches are much less likely.

Segmentation is not a PCI-DSS requirement. It complements other compliance tools such as encryption, access management, and firewall protection. If you have any doubts about core requirements, check out our PCI-DSS compliance checklist for more information.

However, the PCI Security Standards Council (SSC) has issued guidance advising companies to employ segmentation if possible.

As the SSC says, “Effective segmentation can greatly reduce the risk of CDE systems being impacted by security weaknesses or compromises originating from out-of-scope systems.” But it is not a magic bullet. Segmentation must work with other technologies and controls to achieve PCI-DSS compliance.

Understanding PCI DSS network segmentation scope

When discussing network segmentation for PCI-DSS, it’s important to assess the “scope” of controls required.

Scope refers to the extent of protection required to achieve compliance. Establishing PCI-DSS scope is a critical priority before applying segmentation.

Proper scoping provides security teams with the visibility and knowledge needed to locate and defend critical data. Scoping allows you to segment cardholder data from other parts of the network, boosting security and cutting costs.

There are three main categories to think about when carrying out a PCI-DSS assessment.

In-scope assets

Network resources that make direct contact with cardholder information. This includes payment systems, points of sale, credit card databases, communication tools, and even CRM systems. If an app or device holds credit card data, it is “in scope.”

Connected-to assets

These systems connect to in-scope assets but do not hold card data themselves. They may not require segmentation but must be tightly secured as part of the CDE.

Out-of-scope assets

Anything without access to the cardholder data environment is defined as “out of scope” and does not require the same level of protection.

The PCI-DSS regulations state that “even if the out-of-scope system component was compromised, it could not impact the security of the CDE.” This is a good way of approaching the scoping task.

If system components provide attackers with indirect access to cardholder data, it qualifies as in-scope. If not, you can relegate it to a lower priority level and concentrate resources where they matter most.

“Flat” networks where system components are connected to a single network switch are an important exception. In these cases, the entire network is categorized as in-scope.

In flat network settings, there is no such thing as an out-of-scope system. If an attacker gains access to any node on the network, they can potentially spread to systems handling credit data.

Why scoping matters to network segmentation

PCI-DSS scoping is a crucial first step in the segmentation process. You cannot create segments protecting cardholder data unless you know where that data resides.

Scoping maps data locations and flows. Compliance teams build a picture of how credit card data moves throughout the network, where it is stored, and who requires access. This provides a solid foundation for creating accurate and effective network segments.

Scoping also ensures that the segmentation process covers every asset. Security teams can start from the assumption that everything is in scope. They can then eliminate out-of-scope assets from the CDE and apply precise segmentation for cardholder data.

Advantages of network segmentation for PCI DSS

Implementing network segmentation offers several significant benefits that enhance your organization's security posture and streamline PCI DSS compliance efforts. Below, we explore some of the key advantages:

Reduced scope of PCI DSS compliance

By segmenting your network, you can effectively isolate the Cardholder Data Environment (CDE) from other parts of your network. This isolation reduces the number of systems that fall under the PCI DSS scope, thereby simplifying the compliance process. With fewer systems to secure and audit, your organization can allocate resources more efficiently, focusing on the most critical areas that handle sensitive payment information.

Enhanced security and risk management

Network segmentation acts as a barrier that prevents unauthorized access to sensitive data. If a breach occurs in one part of the network, segmentation ensures that attackers cannot easily move laterally to access the CDE. This containment strategy minimizes the risk of data breaches, protecting your organization from potential financial losses and reputational damage.

Cost savings

Network segmentation can lead to significant cost savings by narrowing the scope of PCI DSS compliance. With fewer systems requiring rigorous compliance measures, your organization can reduce the expenses associated with audits, security tools, and personnel. Moreover, the reduced risk of data breaches can save your company from costly legal fees, fines, and the loss of customer trust.

Improved network performance

Segmenting your network can also lead to improved performance. By separating the CDE from less critical systems, you can optimize traffic flow and reduce congestion in your network. This not only enhances the security of cardholder data but also ensures that your network operates efficiently, supporting business continuity and productivity.

Simplified incident response

Network segmentation makes it easier to identify, contain, and remediate a security incident. Since the CDE is isolated, your security team can focus their efforts on the most critical areas, minimizing the incident's impact on your organization. This streamlined approach to incident response can reduce downtime and help your business recover more quickly from potential threats.

How to implement network segmentation for PCI DSS?

When carrying out a PCI-DSS assessment, it’s essential to keep one thing in mind: segmentation is not a substitute for comprehensive cybersecurity controls and policies. Network segmentation is part of a wider toolkit, not a solution to your compliance worries.

PCI DSS network segmentation scheme

Having said that, PCI-DSS best practices advise that companies segment the cardholder data environment from other network systems. So how should you approach this task?

Network segmentation applies specific security controls to create sub-networks containing critical cardholder data. There are various ways of achieving this, including using:

  • Firewall barriers between the rest of the network and cardholder data. Firewalls regulate network traffic across the CDE perimeter, ensuring firewall PCI compliance and preventing unauthorized access requests.
  • Data loss prevention (DLP) solutions. DLP tracks the movement of critical data, and works in tandem with firewall protection. Users cannot move or copy protected data without authorization. Security controls automatically block any unauthorized transfers.
  • Physical access controls for in-scope devices. Some workplaces may impose physical identity checks between CDE-connected devices and other offices or workstations.
  • Air gaps. Physical air gaps can also divide cardholder data from other network assets. Companies may choose to use two separate systems for payment processing and general operations.
  • Identity and access management (IAM) systems and multi-factor authentication (MFA). Authentication systems require multiple credentials for any login. Secure network zones can require extra credentials before granting access.
  • Zero Trust controls on user privileges. Network managers should keep the number of users with administrative privileges as low as possible. Cardholder data environment access should only be available for users with appropriate permissions. All user access is seen as illegitimate until proven otherwise.
  • Continuous activity monitoring. Security teams can automate monitoring to track suspicious behavior. Tracking systems raise alerts when out-of-scope assets request access to a network segment within the CDE.

When you decide how to apply segmentation, the core challenge is determining which assets are in-scope and what lies out-of-scope.

Security teams must interview employees throughout the organization to understand how they use data. Employees can provide invaluable information about where cardholder data resides – knowledge that may not be immediately obvious.

The next step in PCI-DSS compliance is ensuring that network segmentation covers every part of the CDE. Elements to consider include:

  • Applications handling cardholder data. This could cover web apps and locally hosted databases.
  • Authentication servers and internal firewalls that connect with or defend the CDE. Protecting sensitive authentication data is a critical priority.
  • Security services that ensure data security and guard cardholder data. This includes intrusion detection systems, malware scanners, and anti-virus tools.
  • Log storage servers and backups. Any audit logs must be properly secured, including connections between active payment databases and historical logs.
  • Virtual machines, apps, hypervisors, or virtual routers that store or process cardholder data.
  • Network infrastructure such as routers, switches, hardware firewalls, and any other equipment that connects to the CDE.
  • Network servers handling cardholder data flows from sites of payment and within the corporate network. This may include web, mail, proxy, and DNS servers.
  • Third parties. Any third-party applications or users with access to payment or cardholder data storage systems lie within the CDE.

The critical task when applying PCI-DSS controls is mapping connections**. Any endpoint or application that can access cardholder data needs to be secured**.

It isn’t always easy to discover connections between system components. But a comprehensive planning process will generate enough information to keep your data breach risk low.

How can NordLayer solutions help?

Network segmentation is a critical part of PCI-DSS compliance. It allows organizations to separate the cardholder data environment from other system components. Attackers seeking access via remote devices or insecure endpoints will find it much harder to extract cardholder data.

NordLayer can help you build a security setup that meets PCI-DSS requirements. Our PCI-DSS compliance solutions make it easy to segment networks to protect cardholder environments. With Nordlayer, you can:

  • Create groups of network users and assign different network access privileges to each group.
  • Create Virtual Private Gateways for specific groups, resources, or websites.
  • Use IP allowlisting with Dedicated IP addresses to allow authorized users and block others.

In the near future, we will also offer Cloud firewall functionality. This will simplify segmenting cloud-based credit processing environments with granular and flexible access controls.

However, network segmentation is not a single solution. Companies must couple PCI-DSS network segmentation with other security tools to be compliant. Nordlayer can help here as well. In addition to segmentation, our tools can help you:

  • Install secure remote access solutions to transmit cardholder data safely.
  • Set user permissions to block unauthorized access to every network segment.
  • Employ quantum-safe cryptography in tunnel encryption to hide your traffic and online activity from users on the open internet.
  • Put in place multi-factor authentication for users accessing cardholder data. Ensure only trusted users can handle customer information and keep data breach risks low.

Make PCI-DSS compliance manageable by partnering with an experienced security provider. Get in touch with the NordLayer team to explore smart data security solutions that make damaging data breaches much less likely.


Senior Copywriter


Share this post

Related Articles

Outsourced vs in house Cybersecurity Pros and Cons

Stay in the know

Subscribe to our blog updates for in-depth perspectives on cybersecurity.