First and foremost, what is network segmentation?
Network segmentation, or isolating of the cardholder data environment, is not a PCI DSS requirement. This is important to remember, because it means assessors cannot force an entity to segment their network in order to find them compliant. Even if segmentation would help an entity to become compliant (for example, by isolating compliant systems from non-compliant systems), the assessor cannot tell them they must segment to be PCI DSS compliant.
However, without adequate network segmentation, the entire network is in scope for PCI DSS. Segmentation is recommended as a method that may reduce not only the scope and cost of a PCI DSS assessment, but also the ongoing overhead of maintaining PCI DSS compliance. By consolidating cardholder data into fewer, more controlled locations, the risk of data breach is also reduced.
What are Acceptable Forms of Network Segmentation?
Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists or other technology that redirects access to a particular segment of a network.
Adequate network segmentation is anything that isolates systems that store, process, or transmit cardholder data from those that do not. The assessor has to evaluate whether the segmentation is sufficient to isolate systems in the cardholder data environment from the rest of the network. No matter what types of devices, technologies or mechanisms are used, the assessor must evaluate that the segmentation is functioning properly and is providing isolation as intended.