As CTO of an international fintech and an advisory board member to the Payment Card Industry Security Standards Council, I often spend my free time reading all things payments and security related – don’t judge me 😀.  

Recently, I re-read the
PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures information supplement – a big part of the updated guidance for achieving PCI compliance in PCI
DSS v4.  It is a lengthy but important read. And IMHO, it should be required reading for all CTOs, CIOs and CSOs whose business handles payments.  So, to help get you started, I put together a quick summary.

 The landscape of modern payment networks

Traditional network security models relied heavily on perimeter-based controls. However, with the rise of cloud computing, microservices, and zero-trust architectures, payment networks are now very dynamic and borderless. The network perimeter is less clear
than it was when everything was hosted on-premise. These advancements bring flexibility and scalability, but also introduce complexities in determining the scope of PCI DSS compliance and the ability to maintain effective network segmentation.

At its core, PCI DSS compliance ensures the protection of cardholder data by isolating the Cardholder Data Environment (CDE) from out-of-scope systems. The new guidance from the PCI SSC acknowledges the challenges posed by modern architectures and provides
strategies to address them:

Modern network challenges demand robust segmentation, device-level and transaction-based security.

• Multi-cloud environments: Many organizations run multiple cloud service providers. Integrating them requires robust segmentation strategies to manage the diverse configurations, while maintaining visibility across the platforms.
• Hybrid environments: Some organizations combine on-premise and cloud systems. Organizations that run this model must be focused on consistent security controls across both domains. 
• Zero-trust architectures: These models enforce least-privilege access and granular authentication. Your focus must shift from network perimeters to device-level and transaction-based security.

Segmentation best practices remain the same. 

• Nothing here has changed; effective segmentation reduced the scope of PCI DSS assessments. Make sure you focus your controls on the critical systems and segment your CDE.
• Tools like Software-Defined Networking (SDN) and service meshes offer advanced segmentation capabilities, such as micro-segmentation and real-time policy enforcement.

Verification through penetrating testing remains critical.

• Regular segmentation penetration tests are vital. These tests ensure that boundaries between in-scope and out-of-scope systems remain intact and highlight vulnerabilities that could compromise cardholder data.
• In zero-trust environments, tests must validate continuous authentication processes and the effectiveness of micro-segmentation controls.

Some practical recommendations

Modern networks are getting more and more distributed and complex and thus increasing the complexity of PCI DSS and potential for a data breach. In complex situations, first
principles thinking always works best for me. If asked, here is some practical guidance I would give that I use at Flywire.

1. Understand your data flow: Start with a comprehensive mapping of where cardholder data is stored, processed, and transmitted. Documenting and analyzing these flows helps establish the boundaries of your CDE.
2. Embrace automation and monitoring: Use tools, such as AI, for automated discovery, configuration management, and monitoring to maintain accurate scope definitions in dynamic environments. Regular updates to your inventor and diagrams are
   critical for compliance.
3. Adopt advanced segmentation tools: SDN enables dynamic policy and application and centralizes network control. Service meshes ensure service-to-service communication with features like mutual Transport Layer Security (TLS) and traffic monitoring.
4. Zero-trust is the future: Transition to zero-trust models where every user, device, and system must prove its legitimacy at every access point. PCI DSS is all about granular controls, and this is a great example of one.
5. Strengthen penetration testing: Penetration tests should go beyond basic port scans. Have a red team that incorporates real-world attack scenarios in order to evaluate the efficacy of your network segmentation.

In summary, the PCI DSS guidance is a great blueprint for tackling the complexities of modern payment networks. By aligning segmentation practices with evolving technologies like zero-trust and cloud-native architectures, we can ensure robust security while
optimizing compliance efforts.

All payments organizations should embrace these practices to establish a resilient foundation for the future of innovation in the payments ecosystem.