NL +31 (0)20 4232420 / SP +34 937 379 542

The act of dividing a computer network into subnets is known as network segmentation. Network segmentation, when done correctly, improves network security and performance. Although network segmentation is not required by PCI DSS, it is strongly recommended.

Network segmentation does not prevent an attacker from breaching your network, but it does limit the attacker’s influence and access. Organizations that have credit card information, financial information, research and development information, and intellectual property in their network must segment this data to be on a network other than the main network.

So, if you are processing credit card data and you can segment the portion containing credit card data, only the network segment you specified is subject to PCI DSS. This means, you only need to apply the PCI DSS criteria to this network segment. With will save you time and effort.


Obligated For Merchants and Service Providers


Merchants and service providers must test the proper implementation and functionality of network segmentation as part of the PCI penetration test. Network segmentation is defined in requirement 11.3.4 of PCI DSS as follows:

“If segmentation is used to differentiate CDE from other networks, perform penetration tests at least annually and after any changes in segmentation methods and isolate all out-of-scope systems from CDE to verify that segmentation methods are functional and efficient.”

For service providers (PCI DSS requirement it is stated that segmentation tests should be performed at least every 6 months or after a significant change in segmentation.

The merchant or service provider must perform segmentation tests in the same way. The only difference between them is the frequency of the segmentation test.


PCI Network Segmentation


Network segmentation serves several purposes. It helps in the reduction of bottlenecks and obstacles in the overall network, and the separation of key segments from other segments. As a result, network management becomes more straightforward.

Each organization should stick to its segmentation process and procedures in compliance with company needs. A major organization, for example, whose operation covers all types of payments, may keep cardholder data (CHD) in one segment and other data in different segments.

A Cardholder Data Environment (CDE) is part of the network that stores, processes, and transmits cardholder information. Typically, a Cardholder Data Environment is within the PCI scope, and other non-scope segments are outside the scope of the PCI.

Cardholder data comprises the cardholder’s name, card number, expiration or service code, and CVV. Cardholder information should never be compromised or leaked.

According to PCI DSS standard 11.3.4, the cardholder data environment (CDE) must always be secure and have limited access to other segments. Furthermore, the CDE should only be available via an internal network and should not have any access to external resources.

In other words, no unauthorized links between in-scope PCI and out-of-scope PCI should be made, and restricted access to in-scope PCI should be granted in any situation.


3 main scope contents


In PCI DSS terminology, there are 3 main scope contents. Understanding the language defined by PCI DSS is critical for passing network segmentation tests.

  1. CDE Systems – systems that directly process, store, or transmit sensitive authentication data (SAD) or cardholder data (CHD), or that are directly connected to such systems. These systems or devices are also referred to as Category 1 or Level 1.
  2. Connected or Affecting Systems — Systems that provide CDE services or have connections to CDE systems that potentially impair system security within the CDE. These systems or devices can alternatively be referred to as Shared Services, Level 2, or Category 2.
  3. Out of Scope Systems (also known as Level 3 or Category 3 systems) — Systems that do not connect to the CDE.

PCI compliance applies to both CDE (Category 1) and Bound (Category 2) systems. Category 3 systems, on the other hand, are required for network segmentation testing because the segmentation test will reveal that Category 3 cannot reach Category 1 and vice versa.

When it is determined that Category 3 cannot reach Category 1 in network segmentation tests, the test is considered successful. A PCI segmentation test that only targets Category 3 and Category 1 will not qualify because the tests must also include Category 2.

Further, PCI segmentation checks on the CDE should be performed both outside and inside the corporate network, with a focus on segmentation checks from outside the CDE.

The purpose of performing segmentation tests inside and outside the CDE, as well as other areas of the network, such as the Internet, is to support the analysis and results of the QSA review of firewall rules specified in the PCI DSS 1.3 requirement.

Like to know more about how network segmentation can help your organization? Contact our QSA at
Read more about how network segmentation can help reduce the scope and costs of a PCI DSS audit: 4 Easy Tips to Help Reducing Costs of PCI DSS