What is Network Segmentation?

What Is Network Segmentation?

Network segmentation is the practice of dividing a computer network into smaller, isolated sections so that sensitive data and systems are separated from the rest of the environment. In the context of payment security, it means creating clear boundaries between the systems that handle card data and everything else on your network.

Imagine a hospital where the operating theatres, pharmacy, and general wards are all separated by secure doors with controlled access. Even if someone gained unauthorised access to the general ward, they could not simply walk into the operating theatre. Network segmentation works on the same principle -- it limits the blast radius of any security breach and keeps sensitive areas protected.

How Network Segmentation Works

At a technical level, segmentation is typically achieved through a combination of firewalls, virtual LANs (VLANs), access control lists, and routing rules. These controls create barriers between different parts of the network, ensuring that traffic can only flow between segments in ways that have been explicitly permitted.

For a business handling card payments, the most important segmentation boundary is around the Cardholder Data Environment (CDE) -- the collection of systems, networks, and processes that store, process, or transmit card data. By isolating the CDE from the broader corporate network, organisations can dramatically reduce the scope of PCI DSS compliance.

Without segmentation, every device and system on your network could potentially be considered in scope for PCI DSS. That means every laptop, printer, and server would need to meet the standard's security requirements -- a hugely expensive and impractical undertaking for most businesses.

Key Segmentation Approaches

• Physical segmentation uses entirely separate hardware -- different switches, routers, and cabling -- for the CDE. This is the most secure approach but also the most expensive
• Logical segmentation uses VLANs, firewall rules, and software-defined networking to create virtual boundaries on shared hardware. This is more cost-effective and is the approach most organisations take
• Micro-segmentation takes this further by applying granular controls at the individual workload or application level, often using software-defined networking tools

Why Segmentation Matters for PCI DSS

PCI DSS does not strictly require network segmentation, but it strongly recommends it -- and for good reason. Without segmentation, the entire network is in scope, which means every system must meet every applicable PCI DSS requirement. The cost, complexity, and ongoing effort of maintaining compliance across an entire unsegmented network is prohibitive for most organisations.

Effective segmentation reduces scope by confining card data to a small, well-defined area. This means fewer systems to secure, fewer systems to monitor, fewer systems to include in vulnerability scans, and a simpler, cheaper audit process. For many businesses, proper segmentation is the single most impactful step they can take to reduce their PCI compliance burden.

Segmentation in Telephone Payment Environments

Contact centres and businesses that take payments over the phone face particular challenges with network segmentation. The systems involved in a phone payment -- agent workstations, telephony platforms, call recording servers, CRM applications, and payment terminals -- are often deeply interconnected.

If card data passes through the voice channel (for example, if an agent hears the customer read out their card number), then the telephony infrastructure, the agent's workstation, and any recording systems all become part of the CDE. Segmenting these systems from the rest of the network is possible but adds significant complexity.

A more effective approach for many organisations is to prevent card data from entering the telephony environment in the first place. By using DTMF suppression technology, the card digits are captured directly from the caller's keypad and routed to the payment processor without ever passing through the agent's environment. This effectively removes the telephony systems from the CDE, making segmentation simpler and reducing compliance scope dramatically.

Practical Considerations

Segmentation is not something you set up once and forget. PCI DSS requires that segmentation controls are tested at least every six months (for service providers) or annually (for merchants) to confirm they are still effective. Network changes, new applications, and infrastructure updates can all inadvertently break segmentation boundaries.

• Document your network architecture clearly, showing all segmentation boundaries
• Test segmentation controls regularly using penetration testing techniques
• Review firewall rules and access control lists periodically to ensure they still reflect the intended boundaries
• Be cautious with any network changes -- what seems like a minor update can create an unintended path into the CDE

The Future of Segmentation

As businesses move to cloud-based and hybrid infrastructure, traditional network segmentation is evolving. Software-defined networking and zero trust architectures are changing how segmentation is implemented, moving away from perimeter-based boundaries towards identity-based access controls that verify every connection regardless of where it originates.

For contact centres, cloud migration is simplifying segmentation in many ways. Cloud-based telephony and payment platforms naturally separate different functions into distinct services, each with its own security boundary. When the payment service runs in its own isolated cloud environment with its own PCI certification, the segmentation is effectively built into the architecture rather than something the merchant needs to configure and maintain themselves.