Segmenting Cardholder Data to Assist in PCI Compliance

Posted on 2011-10-25
Last Modified: 2013-12-06

Looking for experts on the PCI DSS today.  I ran a question by our ASV Scanner folks and got some interesting information not too long ago, but I'm not entirely sure he/she understood the question and now I want to verify what I've learned.

Let's say I have an internal corporate network that contains, amongst other things, a SQL server.  Let's also say that this SQL Server contains cardholder data.  According to the PCI DSS, I now have to implement the wide array of requirements listed in the DSS on all of the systems in the internal network.

Now let's say I create a second SQL server, and set it on it's own, seperate network.  I move the DB that contains the cardholder data onto that SQL server, and place a firewall between my new network and my old internal network (thereby creating two networks: the internal network and the network with cardholder data present).  I open a few ports between the networks, such as 25 for SMTP and any others that are needed.

After all of this, do I still need to apply all of the PCI DSS standards to the original, internal network?  Or do I have to apply the standards to just the new, cardholder data network?

For instance, DSS requirement 8.3 states: "Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties."  Does this requirement apply to my old, internal network if no cardholder data is stored there, with the proviso that there is a firewall between the internal network and the network that stores cardholder data?

I've attached an image to illustrate my Q.  Thanks in advance for your help!

Matt Split Network
Question by:mhentrich
    LVL 18

    Accepted Solution

    The PCI standards would only be needed for the portion of the network where the data resides, and obviously you would want to restrict traffic into and out of that part of the network to only what is necessary.  I'm working with a customer right now on putting their network data centers and card-processing operations behind firewalls so the entire network isn't subject to PCI requirements, only those specific areas.  

    You will probably want to think about other measures such as a web-application firewall to inspect inbound traffic for possible web server hijacking attempts.


    Author Comment


    Excellent, thanks!  That's what I was told, and I'm very glad to hear it.  We do have a Barracuda web-app firewall in our DMZ already, so we've got a head start there.  Most of our credit card orders come in over the phone and are run through a payment processing application, so that is where most of my headache will be.

    Let me ask you this: the DSS aren't very specific regarding which ports I can open before I'm creating a security gap.  My thoughts are that I would open SMTP ports, DNS ports, SMB ports, and SQL ports.  Is that too much, or I can I still consider the cardholder environment seperate and secure with those ports open?

    LVL 18

    Expert Comment

    The short answer is you open what you need but nothing else.  Anything you have open should be monitored, and if there's a risk, you need to mitigate the risk as much as possible, whether that's the web-app firewall, IDS, etc.

    Author Closing Comment

    Perfect, thanks so much!!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now