Problem solve Get help with specific problems with your technologies, process and projects.

How to implement PCI network segmentation

When trying to comply with PCI DSS, network segmentation can be a tricky subject. In this expert response, Mike Chapple explains how to separate payment system's credit card processing functionality from the rest of an enterprise network.

I'm writing a standard for my company that addresses network segmentation and qualifies as PCI DSS compliant. I...

need qualified resources that reference on this topic; there are plenty of comments and talk on this subject but not much documented practice. Can you point me in the right direction for solid guidance on enterprise network segmentation?

PCI network segmentation is a common approach to reducing the scope (and therefore the complexity) of card-processing networks. It follows the commonly used strategy of minimization: Store as little sensitive data in as few locations as possible and allow access to those who absolutely need it.

When it comes to PCI DSS compliance, organizations commonly use network segmentation to wall off payment systems' credit card processing from the rest of their network, therefore placing the rest of that network outside the scope of the assessment. For example, consider a retail store that has a point-of-sale (PoS) network that handles credit card systems, as well as a back-office network consisting of 20 productivity workstations. The store can limit the scope of an assessment for PCI by using a firewall to place the card-processing systems on a network that is completely isolated from the productivity workstations.

In this case, where a firewall is separating two networks with different switch fabrics, you've clearly achieved isolation. Other situations are a little more gray. For example, some assessors may consider the use of VLAN separation adequate for PCI DSS segmentation, but many (myself included) do not consider this adequate due to the fact that a single switch port misconfiguration could defeat the segmentation.

As far as documentation, page 5 of the PCI DSS Requirements and Security Assessment Procedures is the authoritative reference on the topic. Like most standards, it provides a high-level goal while still offering flexibility in implementation.The relevant section reads: "At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may be implemented."

More on this topic


This was last published in May 2009

Dig Deeper on PCI Data Security Standard