What is Network Segmentation?

Network segmentation is not explicitly required by PCI DSS but is strongly recommended because without it, the entire network is considered in scope for PCI DSS compliance. Effective segmentation uses firewalls, routers with access control lists, or network-based access control to create boundaries between the CDE and other network segments. The segmentation must be verified through penetration testing that specifically attempts to cross segment boundaries. PCI DSS v4.0 requires that segmentation controls be tested at least every six months for service providers and annually for merchants. Modern implementations often use micro-segmentation in cloud environments, software-defined networking, and zero-trust network access to achieve fine-grained isolation. Common mistakes include allowing overly broad firewall rules that effectively negate segmentation, failing to segment management interfaces, and not testing segmentation controls regularly. Organizations that implement robust network segmentation can reduce their CDE scope by 80% or more, dramatically lowering compliance costs and audit complexity.