PCI DSS network segmentation is one method an organization can use to scope PCI compliance. To determine the scope of its Payment Card Industry Data Security Standard (PCI DSS) compliance, an organization should segment its data network into separate sections to isolate credit card data from all other computing processes.
Network segmentation means dividing up one network into smaller sections to better control the flow of traffic across the network and to restrict confidential data to a specific network segment. It enables an organization to implement the necessary controls to secure separate systems with different purposes and different security needs.
Understanding PCI compliance and network segmentation is important because by segmenting their information systems, merchants and other service providers can minimize the effort that’s necessary to meet PCI DSS requirements to secure personally identifiable cardholder data (CHD), such as primary account numbers and cardholders’ names.
That’s because PCI DSS network segmentation reduces the scope and complexity of card-processing networks by ensuring that companies store sensitive cardholder data in specific locations and only allow access to individuals who absolutely need it.
“The scoping process includes identifying all system components that are located within or connected to the cardholder data environment [CDE],” according to the PCI Security Standards Council.
The CDE includes “the people, processes, and technologies” that store, process, and/or transmit CHD or other sensitive payment authentication data. System components include wired and wireless network devices, servers, computing devices, and applications.
Network segmentation improves data security and decreases the chances that an organization will be hit with a data breach by minimizing the scope and reducing the number of systems an IT team has to handle. Network segmentation should also make it easier to spot anomalies within each distinct network.
Effective network segmentation can also prevent out-of-scope systems from communicating with systems in the cardholder data environment and affecting the security of the CDE.