Segmentation Defined
PCI DSS v4.0 specifies that effective segmentation separates the CDE from out-of-scope
environments, minimizing the risk of unauthorized access to cardholder data.
Key Requirements for Segmentation
Network traffic between the CDE and out-of-scope networks must be completely prevented. This
ensures that out-of-scope systems cannot introduce risks to the CDE.
Methods like firewalls, ACLs (Access Control Lists), and other technologies may be used to enforce
segmentation.
Incorrect Options
Monitoring or logging traffic (Options A and B) without preventing access does not achieve
segmentation.
Virtual LANs (Option C) alone are insufficient unless properly configured to enforce traffic isolation.
