​ Segmentation Defined
PCI DSS v4.0 specifies that effective segmentation separates the CDE from out-of-scope
environments, minimizing the risk of unauthorized access to cardholder data​.
​ Key Requirements for Segmentation
Network traffic between the CDE and out-of-scope networks must be completely prevented. This
ensures that out-of-scope systems cannot introduce risks to the CDE.
Methods like firewalls, ACLs (Access Control Lists), and other technologies may be used to enforce
segmentation.
​ Incorrect Options
Monitoring or logging traffic (Options A and B) without preventing access does not achieve
segmentation.
Virtual LANs (Option C) alone are insufficient unless properly configured to enforce traffic isolation​​.
