PCI DSS network segmentation is technically optional, but in practice it is the only realistic way to contain the cardholder data environment without investing millions in compliance. Without segmentation, any system connected to the internal network becomes part of the PCI DSS CDE and must comply with all controls specified by the standard. The real problem is not deciding whether to do it, but understanding how much it costs, who manages it and when it makes sense to look for alternatives.
PCI DSS network segmentation: what the requirement specifies
PCI DSS does not impose a specific segmentation method, but requires that out-of-scope systems be isolated in a way that they cannot influence the security of the CDE. In practice this means firewalls with documented rules, dedicated VLANs, access control lists between segments and annual verification of isolation. Requirement 11.4.5 of standard v4.0 requires specific penetration tests to validate that segmentation actually works, not just on paper.
A typical architecture has at least three zones: the public network, the DMZ with systems that receive card data, and the internal segment where authorisation systems and databases reside. Each zone requires explicit ingress and egress rules, centralised logs and change management procedures. In cloud environments, segmentation translates to dedicated VPCs, granular security groups and east-west traffic control with tools like AWS Network Firewall or Azure Firewall.
The real costs of correct segmentation
The most common mistake is underestimating operational costs relative to setup costs. Enterprise-level firewall and IDS hardware or cloud licensing ranges from €15,000 to €60,000 for a medium-sized architecture. Added to this are the hours of a network engineer for design, rule documentation and change management: an average of 20-40 hours/year just for routine maintenance. The annual penetration test on segmentation has an average cost of €3,000 to €8,000.
For companies operating on Kubernetes or container environments, costs increase further. East-west traffic micro-segmentation in a cluster requires tools like Calico, Cilium or a dedicated service mesh. Operational complexity grows exponentially with the number of microservices handling sensitive data. A team without specialisation in secure networking risks creating configurations that appear compliant but are not, with serious consequences in the event of an audit or breach.
Tokenization vs segmentation: when each makes sense
Segmentation protects the perimeter around sensitive data. Tokenization eliminates sensitive data from the perimeter. They are complementary approaches, but the starting point radically changes the magnitude of required investment. If the PAN never enters your infrastructure, the CDE shrinks dramatically and with it the segmentation requirements. Systems that previously required dedicated VLANs and dedicated firewalls exit scope entirely.
The most efficient PCI DSS scope reduction strategy combines the two approaches: tokenization to eliminate data at the source, residual segmentation to protect the components managing API calls to the vault. This way the surface to be protected with firewalls and ACLs reduces to a few well-defined endpoints instead of an entire corporate network. The result is a minimal CDE, faster audits and structurally lower maintenance costs.
Frequently asked questions
Is cloud segmentation different from on-premise for PCI?
Conceptually no, but the tools change. In cloud, VPCs, private subnets, security groups and Network ACLs are used instead of physical VLANs and hardware firewalls. PCI DSS accepts both approaches provided isolation is documented and tested. Shared responsibility with the cloud provider never covers application segmentation: that always remains with the merchant.
Can I use segmentation as a compensating control?
Segmentation is already itself a security control, not a compensating control in the strict sense. PCI DSS compensating controls apply when a specific requirement cannot be met due to documented technical or business constraints. Robust segmentation can however reduce residual risk in the absence of other controls and positively influence the QSA's assessment.
How long does implementing network segmentation take?
For a medium-sized on-premise architecture, the typical project lasts 3 to 6 months, including design, implementation, testing and documentation. In cloud the timelines shorten but require specific skills. The critical factor is not the initial configuration but ongoing governance: change management, periodic reviews and annual validation tests.
Want to reduce the PCI perimeter before even designing segmentation? Discover PCI Proxy EU.