PCI-DSS Requirement 1 mandates the installation and maintenance of network security controls (previously referred to as "firewalls and routers") to protect the cardholder data environment. Proper network segmentation is the most effective way to reduce PCI-DSS scope and limit the impact of a potential breach.

CDE Boundaries

The CDE boundary defines the perimeter within which all systems that store, process, or transmit cardholder data reside. Everything inside this boundary is subject to the full set of PCI-DSS requirements. The Network Security module in Venvera helps you document and manage these boundaries.

Network Segmentation

Segmentation isolates the CDE from other networks, reducing the number of systems subject to PCI-DSS requirements. Venvera supports documenting the following segment types:

CDEThe cardholder data environment itself — systems that directly handle CHD/SAD
Connected-to-CDESystems with network connectivity to the CDE but that do not directly handle CHD
DMZDemilitarised zone — the buffer network between the public internet and internal networks, hosting public-facing services
Out of ScopeNetworks fully isolated from the CDE through validated segmentation controls
WirelessWireless networks, which require special attention if they connect to or are adjacent to the CDE

Adding Network Segments

To document a network segment:

  1. Navigate to PCI-DSS → Network Security
  2. Click Add Segment
  3. Enter the segment name and description
  4. Select the segment type (CDE, Connected-to-CDE, DMZ, Out of Scope, Wireless)
  5. Record the IP range and VLAN ID
  6. Document the firewall rules governing traffic in and out of the segment
  7. Describe data flows in and out of the segment
  8. Select the isolation method (firewall, VLAN, physical, cloud VPC, micro-segmentation)
  9. Set the last validation date and responsible person
  10. Save the entry

Segmentation Validation

PCI-DSS Requirement 11.4.5 requires that segmentation controls be validated through penetration testing at least every six months for service providers and annually for merchants. Segmentation validation must confirm that:

  • Out-of-scope networks cannot reach the CDE
  • CDE-to-CDE traffic is restricted to only what is necessary
  • Connected-to-CDE systems have appropriate access restrictions
  • Wireless networks are properly segmented from the CDE

Firewall Rules & Data Flow Mapping

For each network segment, document:

  • Inbound rules — What traffic is permitted into the segment, from which sources, on which ports
  • Outbound rules — What traffic is permitted out of the segment, to which destinations
  • Default deny — All traffic not explicitly permitted must be denied (Requirement 1.2.1)
  • Business justification — Every permitted rule must have a documented business justification

DMZ Architecture

PCI-DSS requires a DMZ to be implemented to limit inbound traffic to only system components that provide authorised publicly accessible services (Requirement 1.4). Key DMZ principles:

  • Only necessary services are exposed to the public internet
  • Inbound internet traffic is restricted to IP addresses within the DMZ
  • Internal addresses cannot pass from the internet into the CDE
  • Anti-spoofing measures are implemented
  • Outbound traffic from the CDE to the internet is explicitly authorised

Wireless Security

If wireless networks are used within or adjacent to the CDE:

  • Change wireless vendor defaults (keys, passwords, SNMP community strings)
  • Use industry-standard encryption for wireless authentication and transmission (WPA3 or WPA2 Enterprise)
  • Rogue wireless access point detection must be implemented (Requirement 11.2.1)
  • Document the wireless environment and segmentation from the CDE
  • Quarterly wireless analyser scans to detect unauthorised wireless access points