PCI DSS Implementation Guide
2.1.3
Network segmentation
Although not a mandatory requirement for PCI DSS compliance, often it is beneficial to segment the technical elements of the CDE away from the rest of the infrastructure. Network segmentation is the act of splitting the computer network into subnetworks with each network becoming a segment. To control and protect subnetworks, routers, switches (with appropriate Access Control List functionality) and/or firewalls are installed. From a technical perspective, the CDE will be within its own protected network segment. Without network segmentation to separate and protect the CDE from the rest of the infrastructure using firewalls or ACLs, the organization must accept that the whole infrastructure is part of the CDE and therefore must all be compliant with PCI DSS requirements.
2.2 The prioritized approach The Payment Card Industry Security Standard Council (PCI SSC) offers a pragmatic approach to compliance by breaking down the task into six key milestones. These milestones allow the organization to prioritize the highest risks and threats first, while on its journey to PCI DSS compliance. The PCI DSS website has more information and clear guidance on this approach. It also offers a Prioritized Approach Tool which allows the organization to perform a gap assessment, define its approach and track and report on its progress while on the road to PCI DSS compliance. We strongly recommend that you consider using this approach. The Prioritized Approach Tool can be found within the Document Library section here: pcisecuritystandards.org.
Page 8 of 21
