PCI DSS network segmentation is the practice of isolating systems that handle card data from the rest of the corporate infrastructure through physical or logical network controls. It is not technically mandatory under PCI DSS, but without it the entire corporate network falls within the CDE perimeter - a condition that makes compliance practically unsustainable for any mid-sized organisation. Understanding how to implement it, how much it costs and when tokenization is a more efficient alternative is essential for a rational compliance strategy.
What network segmentation is and why PCI DSS requires it
Without segmentation, any system connected to the corporate network that has even indirect connectivity to payment systems falls within the CDE. This means administrative office workstations, videoconferencing systems, network printers and backup servers can all be subject to PCI DSS requirements if they share the same network as payment systems. The perimeter explodes, and compliance costs with it.
Network segmentation resolves this problem by creating a clear separation between the CDE and the rest of the network. Through firewalls, VLANs, network access controls and DMZ zones, payment systems are isolated in a dedicated segment with strictly controlled access. Only systems that have a documented technical need to communicate with the CDE can do so, and every access is logged and monitored.
Costs and complexity of correct segmentation
Implementing network segmentation correctly is not trivial. It requires dedicated firewalls between segments, granular filtering rules, complete network topology documentation, periodic tests of segmentation effectiveness (including penetration tests that verify there are no unauthorised paths between segments) and continuous maintenance whenever systems are added or flows are modified.
Costs of correct segmentation include: dedicated networking hardware (from €5,000 to €30,000 for on-premise infrastructure), consulting costs for design and implementation, continuous monitoring and maintenance costs, and testing costs to verify that segmentation remains effective over time. In cloud environments, segmentation is more flexible but still requires careful design of VPCs, security groups and routing rules.
Tokenization as an alternative to hardware segmentation
The logic of segmentation is: isolate the CDE from the rest of the network to limit the risk surface. Tokenization achieves the same objective more radically: instead of isolating the CDE, it almost completely eliminates it on the merchant's side. If your systems never handle PANs, you have no CDE to isolate. Segmentation becomes irrelevant because there is nothing to protect on your servers.
For organisations that have already invested in network segmentation, tokenization adds a second layer of protection: it further reduces the CDE and simplifies the topology. For those who have not yet implemented segmentation, adopting tokenization first can entirely avoid the investment in dedicated network infrastructure. The order of priorities depends on the existing architecture and the compliance timeline.
Frequently asked questions
Is VLAN segmentation sufficient for PCI DSS?
VLANs alone are not considered sufficient by PCI DSS unless accompanied by firewalls that filter traffic between segments. A VLAN without a firewall is a logical separation that can be bypassed with misconfiguration or VLAN hopping attacks. PCI DSS requires that segmentation be verifiable and tested in the annual penetration test.
Do I need to segment the test environment too?
Yes, if the test environment uses real card data. PCI DSS explicitly requires that test data not be real card data, and that development and test environments be separate from the production environment. If you follow this rule, the test environment does not enter the CDE and does not need specific segmentation.
How many firewalls are needed to isolate the CDE?
There is no fixed number: it depends on the network topology and the number of access points to the CDE. In a typical architecture, at least one perimeter firewall separating the CDE from the internet and one separating the CDE from the internal network are needed. In complex environments with multiple DMZ zones and multiple access flows, the number may be higher. The rule is that every access to the CDE must pass through a firewall with explicit rules.
Want to reduce PCI scope without investing in segmentation infrastructure? Discover PCI Proxy EU.