Guides: Network Segmentation PCI DSS

7 Steps to Implementing Network Segmentation for PCI DSS Compliance

What Is Network Segmentation?

Network segmentation divides a network into smaller, distinct subnetworks, or segments. This enhances performance and security. Each segment functions independently and has its own controls, reducing the risk of unauthorized access and containing potential breaches. Segmenting the network minimizes the attack surface, meaning that even if one segment is compromised, the threat doesn’t easily spread to others.

Network segmentation improves network performance by controlling traffic and managing bandwidth more efficiently. It allows organizations to apply specific security policies tailored to each segment’s requirements. By isolating sensitive data within certain segments, businesses can impose stricter access controls and monitoring, ensuring compliance with various regulations and standards, like PCI DSS.

Beyond traditional network boundaries, similar isolation principles apply to containerized workloads — see our guide to container security for related best practices.

What Is PCI DSS?

PCI DSS, or the Payment Card Industry Data Security Standard, is a set of security standards to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. Established by major credit card brands, PCI DSS aims to reduce credit card fraud and increase control over sensitive cardholder data. Compliance with these standards is mandatory for any business handling credit card transactions.

PCI DSS encompasses various requirements, including maintaining a secure network, protecting cardholder data, regularly monitoring, testing networks, and implementing strong access control measures. These requirements help businesses protect sensitive information and systems from breaches and data theft. Non-compliance can lead to financial penalties, loss of reputation, and a decrease in customer trust.

This is part of a series of articles about microsegmentation.

In this article:

While PCI DSS does not mandate network segmentation, network segmentation is a best practice that can reduce the scope of PCI compliance requirements. Proper segmentation helps isolate systems that handle cardholder data (cardholder data environment, or CDE) from those that do not, reducing risk and simplifying compliance efforts.

Key PCI DSS requirements related to network segmentation include:

  1. Restricting access to cardholder data (Requirement 7) – Organizations must limit access to the CDE only to authorized personnel. Network segmentation helps enforce this by separating sensitive systems from general IT infrastructure.
  2. Implementing network security controls (Requirement 1) – Businesses must install and maintain firewalls and router configurations to control traffic between segmented network zones. Properly configured firewalls ensure that only authorized communication is allowed between different segments.
  3. Regular testing of segmentation controls (Requirement 11.3/4) – If segmentation is used to reduce the scope of PCI DSS compliance, organizations must perform regular penetration testing to verify that the segmentation effectively isolates the CDE from other network areas.
  4. Monitoring and logging traffic (Requirement 10) – Network segmentation should be complemented with logging and monitoring solutions to track access and detect unauthorized attempts to reach the CDE. Organizations must collect and review logs to identify potential security incidents.

How to Implement Network Segmentation for PCI DSS

1. Identify Cardholder Data Flows

Identifying cardholder data flows is the foundation of effective network segmentation. Organizations need to map out how payment data moves within their infrastructure. This involves pinpointing every system that interacts with cardholder data, including servers, workstations, and network devices. Understanding data flows is crucial to ensure all entry and exit points are protected and that unauthorized data access or leakage points are minimized.

Once data flows are documented, organizations should assess how these flows align with business processes. This alignment helps determine the most efficient and secure ways to handle data. By identifying all potential paths that cardholder data can take, businesses can design network segmentation strategies that effectively isolate this data, thereby reducing the scope of PCI compliance efforts.

2. Define the Scope of the CDE

Defining the scope of the cardholder data environment (CDE) is essential for PCI DSS compliance and effective network segmentation. This involves clearly determining which parts of the network are considered part of the CDE, as these areas will be subject to rigorous PCI DSS controls. Identifying the scope is not a one-time task; it requires ongoing reassessment as network configurations and data flow patterns change over time.

An effectively scoped CDE ensures that security measures are focused on critical areas, reducing unnecessary coverage of non-sensitive zones. This reduces both complexity and resources required for compliance. By narrowing the CDE scope accurately, companies can apply appropriate security controls where needed.

3. Design the Segmentation Strategy

Designing a segmentation strategy involves categorically separating different network areas to optimize security and compliance efforts. The aim is to ensure that sensitive data systems, like CDEs, are isolated from less sensitive network components. This requires a detailed understanding of network architecture and business processes to determine the best ways to segment network traffic efficiently without disrupting operations.

When designing a segmentation strategy, organizations must consider not just the logical design but also physical separation where feasible. Effective segmentation strategies incorporate a layered approach, employing firewalls, VLANs, and other technologies to create barriers between segments. By doing so, businesses can enforce security policies specific to each segment’s risk level.

Tips from the Expert

In my experience, here are tips that can help you better implement network segmentation for PCI DSS compliance:

  1. Behavioral analytics for segmentation validation:

    Traditional firewall rules may not be enough. Implement AI-driven behavioral analytics to detect anomalous access attempts between segments, helping identify misconfigurations or potential breaches.

  2. Cloud-native network segmentation:

    If using cloud environments, leverage cloud provider-native security tools such as AWS Security Groups, Azure Private Link, or Google VPC Service Controls to implement segmentation without increasing operational complexity.

  3. Policy-as-Code for network segmentation enforcement:

    Use Infrastructure-as-Code (IaC) tools like Terraform or Kubernetes network policies to enforce segmentation policies programmatically, ensuring consistent implementation across environments.

  4. Microsegmentation with identity-based policies:

    Instead of relying only on IP-based segmentation, implement microsegmentation using identity-based policies. Use workload identity and behavioral analytics to enforce segmentation at the process level, preventing lateral movement between compromised systems.

  5. Zero Trust Network Access (ZTNA) integration:

    Align segmentation strategies with a Zero Trust approach, enforcing least-privilege access at every network boundary. Implement strong authentication and continuous monitoring to restrict access between network segments.

Profile Picture

Peter Kelly

VP of Engineering

Peter Kelly is Chief Technology Officer at Tigera and Site Leader for Tigera's EMEA office in Cork, Ireland. He is responsible for all of Tigera’s Engineering teams and operations. Peter has two decades of experience in software development, including recently building control plane technology for open-source proxies at NGINX and later F5 Networks, where he held engineering leadership positions. Peter has a degree in Computer Science and a Masters in Advanced Software Engineering.

4. Implement Access Controls

Implementing access controls is a critical step in network segmentation. These controls determine who can access specific segments of the network, ensuring only authorized personnel can reach sensitive CDEs. Effective access control mechanisms involve the use of authentication methods, such as passwords, biometrics, or two-factor authentication, to verify user identity before granting access to specific resources or segments.

Access controls are not limited to mere user verification but also encompass tiered permission levels based on user roles and responsibilities. This is paired with technologies like firewalls and intrusion detection systems that deny unauthorized data flow through established borders. By implementing access controls, organizations can maintain strong data protection standards and compliance with PCI DSS.

5. Configure and Deploy Security Controls

Configuring and deploying security controls is essential to ensuring network segments are secure. This involves setting up firewalls, intrusion detection systems (IDS), and other security measures to safeguard the perimeters between different network segments. Security controls must be tailored to the specific risks and requirements of each segment, focusing on blocking unauthorized access and monitoring for any suspicious activity.

When deploying these controls, organizations should ensure they are configured correctly, as misconfigurations can lead to vulnerabilities. Ongoing evaluation and updates to these security measures are crucial to adapting to new threats. Regularly updating firewalls and IDS signatures, coupled with proper logging and analysis of traffic patterns, ensures that segmentation facilitates strong security postures and maintains compliance with PCI DSS by protecting cardholder data.

6. Regular Testing and Validation

Regular testing and validation ensure the effectiveness of network segmentation and compliance with PCI DSS. Testing involves simulating attacks to assess the security and robustness of segmentation efforts. This includes penetration testing and vulnerability assessments, targeting the CDE and interconnected segments to identify potential weak points that could be exploited by attackers.

Beyond initial testing, continuous validation is needed to confirm ongoing compliance and effectiveness of implemented measures. This involves routine self-assessments and audits to review security controls and processes. Regular validation ensures that any changes in the network, technology, or business procedures do not compromise segmentation or security.

7. Continuous Monitoring and Maintenance

Continuous monitoring and maintenance are pivotal for sustaining effective network segmentation and ensuring ongoing PCI DSS compliance. Real-time monitoring tools are deployed to detect anomalies and unauthorized access attempts across the network, facilitating immediate responses to potential security incidents. Continuous monitoring helps in maintaining an up-to-date view of the network, enabling prompt modifications to security strategies as threats evolve.

Maintenance involves regular updates and patching of systems to protect against known vulnerabilities. Network configurations should be reviewed periodically to ensure they remain optimal as the business and threat landscapes change. By integrating continuous monitoring with systematic maintenance practices, organizations ensure their network remains secure and compliant, safeguarding cardholder data consistently across all segments.

Related content: Read our guide to network segmentation NIST

Microsegmentation with Calico

Calico Enterprise and Calico Cloud provide a unified, cloud-native segmentation model and single policy framework that works across all of your existing environments—including hosts, VMs, containers, Kubernetes components, and services—while automatically scaling with your microservices environment.

Calico enables full workload portability and the ability to define segmentation policies for multi-cloud and hybrid connections. It is built for cloud scale and provides you with the ability to roll out security policy changes in milliseconds, while legacy segmentation tools take hours.

Learn more in our detailed guide to microsegmentation tools.

Key features and capabilities include:

  • Unified policy framework – Calico provides a single framework to define policies across all of your application and workload environments, including hosts, VMs, containers, and Kubernetes. This simplifies the process of creating host-level policies by providing visibility into traffic between HostEndpoints and determining the appropriate rules to accept or deny a connection.
  • Dynamic segmentation – Calico segments workloads based on metadata and labels attached to those workloads. This enables you to securely deploy new or updated workloads without having to add or change your segmentation policies.
  • Performance at scale – Calico utilizes a cloud-native, distributed architecture that can accept and enforce changes across hybrid and multi-cloud environments in milliseconds. This enables rapid auto-scaling of your microservices environment, and the ability to rapidly thwart security incidents by rolling out segmentation policy changes in response to an attack.
  • High-performance, distributed architecture for microsegmentation – Calico’s distributed cloud-native architecture eliminates centralized congestion points associated with legacy approaches to microsegmentation that can impact performance.

Next steps:

X