New Information Supplement: PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures

The PCI Security Standards Council (PCI SSC) has published a new Information Supplement: PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures. This document was produced by the 2023 Special Interest Group (SIG), the members of which provided their extensive payment security expertise and technical knowledge around best practices, guidance, and real-world scenarios for applying PCI DSS scoping and segmentation techniques in a variety of modern network architectures.   

The adoption of modern network architectures, including those developed to support cloud services and zero trust networks, has become more prevalent in the payment ecosystem. It is now common to see hybrid cardholder data environment (CDE) setups that include multi-cloud environments alongside traditional network architecture. Organizations are trying to understand and address the impact this new technology is having on traditional PCI DSS scoping and segmentation practices. This document provides guidance on best practices to consider in these scenarios, and includes:   

• Determining the impact of zero trust architecture on PCI DSS scope and network segmentation. 
• Defining PCI DSS scope boundaries in micro-segmentation and multi-cloud implementations.  
• How to develop and maintain a PCI DSS asset inventory given the ephemeral nature of cloud-hosted microservices and systems. 
• Identifying risks associated with the implementation of modern network architectures given the complexity of modern system configurations. 
• Guidance on specific PCI DSS requirements for verifying scope and segmentation controls.  

*Note: The guidance document is intended for use by merchants, service providers, and assessors to provide entities with background knowledge, actionable guidance, and practical examples to assist in defining PCI DSS scope and applying segmentation practices in modern network architectures. The guidance provided in this document is supplemental and does not supersede or replace any PCI standard.  

Read the informational supplement here. 

This information supplement resulted from a PCI SSC SIG. This topic was proposed and selected by PCI SSC Participating Organizations as part of the Council’s SIG election process. SIGs are community-driven initiatives that focus on payment security challenges related to PCI Security Standards. SIGs promote collaboration between industry representatives, subject matter experts, the Council, and the Participating Payment Brands to allow the development of practical payment security resources.  

Also on the blog: PCI SSC Announces 2023 Special Interest Group Election Results