Proper implementation of scope and segmentation controls is essential to protect payment card data and ensure that the systems handling this information are correctly isolated. Modern network architectures, by integrating advanced technologies such as managed proxies, API gateways, and service meshes, enable efficient segmentation and granular traffic control, ensuring compliance with PCI DSS requirements.
Below is a detailed summary of best practices and key considerations for applying scope and segmentation controls in the context of PCI DSS:
Maintenance of Network Diagrams and Data Flows (Requirements 1.2.3–1.2.4)
It is essential to maintain accurate diagrams of the network and data flows, covering all network segments such as VLANs, subnets, and critical infrastructure components (firewalls, WAFs, IDS/IPS, DNS servers, among others). Automated tools for continuous network discovery and monitoring facilitate regular updates to these diagrams, especially in virtualized and dynamic environments.
Security Controls in Trusted and Untrusted Networks (Requirement 1.4.1)
Organizations must implement robust security controls on connections between trusted and untrusted networks. This includes the use of demilitarized zones (DMZs) or equivalent cloud architectures, where WAFs and firewalls act as perimeter filters, protecting internal services and applications from unauthorized access. Proper segmentation helps isolate systems within the CDE (cardholder data environment) from external networks, reducing exposure to sensitive data.
Penetration Testing Methodology (Requirements 11.4.1 and 11.4.5)
Penetration tests must cover the application layer as well as infrastructure, orchestration, and hypervisor layers. They must also include vulnerability assessments of open-source tools and cloud services that could introduce supply chain risks, ensuring that software dependencies are free from security flaws.
Maintenance of In-Scope Component Inventories (Requirement 12.5.1)
In dynamic cloud environments, it is necessary to manage an up-to-date inventory of components and services through automated tools such as configuration management databases (CMDBs). These tools help maintain visibility of assets involved in PCI DSS scope, even in rapidly changing environments.
Documentation and Confirmation of PCI DSS Scope (Requirements 12.5.2 and 12.5.2.1)
Defining and documenting PCI DSS scope boundaries is essential, especially in cloud environments where responsibilities may be shared between the cloud service provider (CSP) and the organization. Segmentation methodologies must be reviewed annually, and if significant architectural changes occur, a risk analysis must be performed to validate segmentation effectiveness.
Management of Third-Party Service Providers (Requirement 12.8)
It is crucial to maintain a detailed inventory of third‑party service providers, such as CSPs, that handle payment card data. These must be documented along with contracts, SLAs, and shared responsibilities for security and compliance, especially when using managed services or third‑party technologies.
Effective network segmentation is a fundamental pillar for reducing PCI DSS scope, simplifying compliance processes, and reducing operational costs. Below are key strategies that use advanced technologies to achieve effective and secure segmentation in modern networks:
Proxy Pattern
The Proxy Pattern segments networks by placing a proxy that controls and authorizes traffic between systems outside the CDE and systems handling payment card data. This approach acts as a central control point, ensuring that only authorized traffic reaches the CDE.
Implementation criteria
▪️Perimeter Location: The proxy must be placed at the network edge, acting as the termination point for incoming connections.
▪️ De‑Scoping: Traffic passing through the proxy must not include sensitive data, verified through data classification.
▪️ Connection Termination: The proxy must terminate incoming connections to ensure data integrity when entering the CDE.
▪️ Vulnerability Management: If an IDS is used, the proxy may limit itself to traffic management without deep vulnerability inspection.
Managed Proxy
A Managed Proxy is a proxy server administered by a CSP, acting as a control point for traffic between out‑of‑scope systems and PCI DSS in‑scope systems.
Implementation criteria
▪️ Traffic from out‑of‑scope systems must pass through the proxy before reaching sensitive systems.
▪️ Direct communication between out‑of‑scope systems and the CDE must not be allowed.
▪️ The proxy must reside in a de‑scoping VPC outside the CDE.
▪️ Out‑of‑scope systems requiring data must route traffic through the proxy using a security group.
API Gateway
The API Gateway acts as a proxy to manage and interrupt traffic in microservices architectures. By implementing TLS interception, the API Gateway can terminate the original connection and establish a new secure one.
Implementation criteria
▪️TLS interception must be enabled to ensure traffic is properly encrypted before reaching sensitive services.
▪️ Legacy systems relying on continuous TLS connections must be updated to support this strategy.
Intermediate Managed Services
Intermediate Managed Services provided by CSPs create a break in connections to mitigate risks and enable additional segmentation. Services such as cloud storage and Pub/Sub queues can act as enhanced proxies.
Implementation criteria
▪️ Storage containers holding sensitive data must be considered in scope for PCI DSS.
▪️ Intermediate services must be evaluated and audited for PCI DSS compliance.
Native Service Mesh
A Service Mesh enables secure communication between microservices through advanced traffic policies. Implementing mTLS at the pod level ensures authenticated and encrypted communication, allowing only authorized services to interact.
Benefits:
▪️ Network-Level Isolation: The mesh segments communications, ensuring only authenticated and encrypted services interact.
▪️ Identity Verification: Using SPIFFE IDs validates each service’s identity, improving infrastructure security.
Ingress and Egress Gateways in Service Meshes
Ingress and egress gateways manage traffic entering and leaving the CDE, ensuring only authorized traffic communicates with internal or external systems.
Implementation criteria:
▪️ All incoming traffic must pass through an ingress gateway for protection and routing.
▪️ Outgoing traffic must pass through an egress gateway to ensure only authorized traffic leaves the CDE.
▪️ The service mesh must deny all connections by default, allowing only explicitly authorized ones.
Authentication and Security Policies: Zero Trust
Implementing Zero Trust in microservices architectures involves using mTLS to ensure each service is authenticated before accessing others. Authentication policies in tools like Istio define how workloads communicate, specifying strict rules for authentication and traffic encryption.
Istio Authentication Modes:
▪️PERMISSIVE: Allows both mTLS and unencrypted traffic; ideal for migrations.
▪️ STRICT: Only accepts mTLS traffic; recommended for high‑security environments.
▪️ DISABLE: Disables mTLS; not recommended due to lack of protection.
Kubernetes Network Policies and Service Meshes
Kubernetes Network Policies provide basic segmentation between pods, while a service mesh like Istio offers more granular control of microservice communication. Using both mechanisms establishes defense‑in‑depth, ensuring segmentation at the network level and advanced traffic control.
Segmentation strategies such as the Proxy Pattern, Managed Proxy, API Gateway, Intermediate Managed Services, Native Service Mesh, and Ingress/Egress Gateways are essential for managing security in modern network architectures and ensuring PCI DSS compliance. These technologies not only reduce PCI DSS scope but also optimize infrastructure and enhance overall network security. Additionally, implementing Zero Trust policies through mTLS and integrating Kubernetes network policies strengthens security by ensuring that only secure and authorized connections are allowed.
References
📑 PCI DSS Standard v4.0.1
📑 Guidance for PCI DSS Scope and Segmentation for Modern Network Architectures