The conference room went silent when I asked the question: "Can you show me your network diagram?"
The CTO of a mid-sized e-commerce company looked uncomfortable. "We have one... somewhere," he said. His network engineer shifted in his seat. After twenty minutes of searching, they produced a Visio diagram that was three years old and, as we'd soon discover, bore little resemblance to their actual network.
This was day one of their PCI DSS compliance project. They were processing over $50 million in credit card transactions annually, and they had absolutely no idea where their cardholder data actually lived.
Six months later, after implementing proper network segmentation, their annual assessment scope decreased by 87%, their security improved dramatically, and their compliance costs dropped by $340,000 per year.
This is the power of network segmentation done right.
Why Network Segmentation Is Your Best Friend in PCI Compliance
After helping over 60 organizations achieve PCI DSS compliance, I can tell you this with absolute certainty: network segmentation is the single most impactful decision you'll make in your PCI compliance journey.
Here's why: PCI DSS applies to your entire Cardholder Data Environment (CDE)—every system that stores, processes, or transmits cardholder data, plus every system connected to it. Without segmentation, that can mean your entire network.
I once worked with a retail company that had 847 servers. Without segmentation, all 847 fell into PCI scope. After proper segmentation, only 23 servers remained in scope. They went from needing quarterly vulnerability scans on 847 systems to just 23. Their compliance program went from unmanageable to actually sustainable.
"Network segmentation isn't just about compliance—it's about making compliance possible in the first place."
Understanding the Cardholder Data Environment (CDE)
Before we dive into segmentation strategies, let's get crystal clear on what we're actually trying to isolate.
The Three Zones of PCI Scope
In my years doing PCI assessments, I've found it helpful to think about scope in three distinct zones:
Zone | Description | PCI Requirements | Example Systems |
|---|---|---|---|
Zone 1: CDE Core | Systems that directly store, process, or transmit cardholder data | Full PCI DSS requirements (all 12 requirements) | Payment gateway servers, payment applications, databases with card data, POS terminals |
Zone 2: Connected Systems | Systems that connect to the CDE but don't handle card data | Most PCI DSS requirements | Jump servers, management systems, authentication servers, backup systems |
Zone 3: Out of Scope | Systems completely isolated from the CDE | No PCI DSS requirements | Corporate network, development systems, marketing databases, HR systems |
The goal of segmentation is to minimize Zone 1 and Zone 2 while maximizing Zone 3.
What Actually Counts as Cardholder Data?
This might seem basic, but I've seen countless organizations get this wrong. Let me be crystal clear about what data triggers PCI scope:
Cardholder Data (always in scope):
Primary Account Number (PAN) - the 16-digit card number
Cardholder Name (when stored with PAN)
Service Code
Expiration Date
Sensitive Authentication Data (NEVER store these after authorization):
Full magnetic stripe data
CAV2/CVC2/CVV2/CID codes
PIN/PIN blocks
Here's a story that illustrates why this matters: I was called in to help a hotel chain after a breach. During the investigation, we discovered they were storing full magnetic stripe data in their property management system—data they had no business need for and were explicitly prohibited from storing.
When I asked why, the answer was "we've always done it that way." That decision cost them $4.2 million in fines and remediation costs.
The Business Case for Network Segmentation
Let me get practical about why segmentation matters beyond just checking compliance boxes.
Cost Reduction: The Numbers Don't Lie
I recently worked with an online retailer processing payments. Here's their before and after:
Cost Factor | Before Segmentation | After Segmentation | Annual Savings |
|---|---|---|---|
Quarterly vulnerability scans | 450 systems @ $45/system | 18 systems @ $45/system | $77,760 |
Annual penetration testing | Full network scope | CDE only | $125,000 |
Log management/SIEM | 450 systems | 18 systems | $180,000 |
Patch management overhead | 450 systems | 18 systems | $95,000 |
Assessment/audit costs | Level 1 scope | Reduced Level 1 scope | $85,000 |
TOTAL ANNUAL SAVINGS | $562,760 |
Their segmentation project cost $380,000. They achieved ROI in 8 months and continue to save over half a million dollars every year.
Security Benefits Beyond Compliance
But here's what really keeps me passionate about network segmentation—it's genuinely good security, not just compliance theater.
In 2021, I worked with a payment processor that experienced a sophisticated attack. The attackers compromised a marketing web server (which shouldn't have been anywhere near the CDE, but was on the same flat network).
Without segmentation, they would have had free reign to move laterally through the network to payment systems. But because this company had implemented proper segmentation with strict firewall rules, the attackers hit a wall. They couldn't pivot to payment systems. The breach was contained to non-sensitive marketing data.
The CISO told me later: "Segmentation saved our business. If they'd reached our payment systems, we'd have lost our ability to process cards. We'd have been done."
"Network segmentation turns your network from a single point of failure into a series of defensive barriers. Attackers might breach one zone, but they can't easily breach them all."
PCI DSS Requirements for Network Segmentation
Let's get into the technical requirements. PCI DSS Requirement 1 addresses network security controls, and proper segmentation is fundamental to meeting these requirements.
PCI DSS 4.0 Key Requirements for Segmentation
Requirement | What It Means | Why It Matters |
|---|---|---|
1.2.1 | Install and maintain network security controls to restrict connections between untrusted networks and the CDE | Creates the fundamental security boundary |
1.2.2 | Restrict inbound traffic to the CDE to only what's necessary | Minimizes attack surface |
1.2.3 | Restrict outbound traffic from the CDE to only what's necessary | Prevents data exfiltration |
1.3.1 | Network security controls are installed between all CDE segments | Creates defense in depth |
1.4.2 | Security controls prevent unauthorized outbound traffic from the CDE to the Internet | Stops malware command and control |
11.4.6 | Network segmentation is tested at least every six months | Ensures segmentation remains effective |
The Segmentation Testing Requirement (This Trips Up Everyone)
Here's something that catches organizations off guard: PCI DSS requires you to test your segmentation at least twice a year.
I've seen companies spend hundreds of thousands of dollars on beautiful network segmentation architecture, only to fail their assessment because they couldn't prove segmentation was working.
The requirement is clear: you must verify that segmentation controls are operational and preventing unauthorized access between network segments.
I worked with a financial services company that was absolutely certain their segmentation was solid. During testing, we discovered that a "temporary" firewall rule added six months earlier had created a path from the corporate network directly into the CDE. Nobody had noticed because they weren't testing regularly.
That "temporary" rule could have been a highway for attackers.
Network Segmentation Strategies: What Actually Works
Let me share the strategies I've seen succeed (and fail) in the real world.
Strategy 1: Physical Segmentation (The Gold Standard)
What it is: Completely separate physical networks with no connections between them.
Pros:
Easiest to understand and validate
Most secure option
Simplest to audit
Nearly impossible to accidentally bridge
Cons:
Most expensive
Least flexible
Requires duplicate infrastructure
Can hinder business operations
I worked with a payment processor that implemented physical segmentation. They had completely separate networks: one for payment processing, one for corporate functions. Different cables, different switches, different routers. A cable couldn't accidentally be plugged into the wrong network.
For their business—processing payments for thousands of merchants—the added security and simplified compliance was worth the infrastructure cost.
When to use it:
High-volume payment processors
Organizations with strict security requirements
Environments where cost isn't the primary concern
Situations where absolute certainty of isolation is needed
Strategy 2: Logical Segmentation with VLANs and Firewalls (The Practical Choice)
What it is: Using VLANs, firewalls, and access control lists to create isolated network segments on shared physical infrastructure.
Pros:
Cost-effective
Flexible and scalable
Easier to manage
Good balance of security and practicality
Cons:
More complex to implement correctly
Requires ongoing monitoring and testing
Misconfiguration can compromise segmentation
Requires skilled network engineers
This is what I recommend for 80% of organizations. It provides strong security when implemented correctly, at a fraction of the cost of physical segmentation.
Here's a real example from a mid-sized retailer I worked with:
Internet
↓
Border Firewall
↓
DMZ (Web Servers)
↓
Internal Firewall
├─→ CDE Network (VLAN 10)
│ ├─ Payment Gateway
│ ├─ Payment Database
│ └─ POS Systems
├─→ Corporate Network (VLAN 20)
│ ├─ Workstations
│ ├─ File Servers
│ └─ Email
└─→ Guest Network (VLAN 30)
└─ Isolated with Internet-only access
The key is that traffic between VLANs must pass through a firewall with strict rules. No VLAN routing between CDE and other networks.
Strategy 3: Microsegmentation with Software-Defined Networking
What it is: Using software-defined networking (SDN) and host-based firewalls to create granular security zones.
Pros:
Extremely granular control
Adapts dynamically to changes
Can segment within the CDE itself
Modern approach for cloud and hybrid environments
Cons:
Complex to implement
Requires specialized skills
Can be expensive
May be overkill for smaller environments
I helped a cloud-native payment platform implement microsegmentation. Every container, every service, every API endpoint had its own security policy. It was complex, but it meant that a compromise of one component couldn't spread.
During a red team exercise, the attackers managed to exploit a vulnerability in a payment reporting service. But microsegmentation prevented them from moving laterally to payment processing systems. The attack was contained to a single, non-critical service.
My Proven Network Segmentation Implementation Framework
After implementing segmentation for dozens of organizations, I've developed a framework that consistently delivers results. Here's exactly how I approach it:
Phase 1: Discovery and Documentation (Weeks 1-4)
Week 1-2: Data Flow Mapping
The first question I always ask: "Where does cardholder data actually flow?"
I use a systematic approach:
Discovery Activity | Method | Deliverable |
|---|---|---|
Network topology mapping | Automated scanning tools + manual verification | Complete network diagram |
Data flow analysis | Packet capture, application tracing, interviews | Data flow diagrams |
System inventory | Asset discovery tools + configuration review | Complete system inventory |
Connection mapping | Firewall logs, NetFlow data, application configs | Connection matrix |
Here's a critical lesson I learned the hard way: trust nothing, verify everything.
I once worked with a company that insisted cardholder data only existed in their payment database. During discovery, we found it in:
Application logs (developers were logging full PANs for debugging)
Backup systems (never secured properly)
Email servers (customer service was emailing receipts with full card numbers)
Reporting databases (someone had set up a data sync without thinking about security)
We found cardholder data in 34 different locations when they thought it was in 1.
Week 3-4: Current State Analysis
Document your current PCI scope:
Current Scope Assessment:
├─ Systems in Zone 1 (CDE Core): X systems
├─ Systems in Zone 2 (Connected): Y systems
├─ Systems in Zone 3 (Out of Scope): Z systems
└─ Systems with uncertain status: W systems (INVESTIGATE!)
Phase 2: Segmentation Design (Weeks 5-8)
This is where the magic happens. I work with teams to design a segmented architecture that balances security, compliance, and business needs.
Key Design Principles I Always Follow:
Minimize the CDE: The smaller the CDE, the easier compliance becomes
Explicit allow-lists: Only permit necessary traffic; deny everything else
Defense in depth: Multiple layers of segmentation
Fail secure: When in doubt, block traffic
Business continuity: Segmentation shouldn't break critical operations
Here's a segmentation design template I use:
Network Zone | Purpose | Allowed Inbound | Allowed Outbound | Security Controls |
|---|---|---|---|---|
DMZ | Public-facing web servers | Internet: 443/tcp | CDE: 8443/tcp; Internet: 443/tcp (patches) | IPS, WAF, DDoS protection |
CDE - Payment Gateway | Process card transactions | DMZ: 8443/tcp; Management: 22/tcp | Payment Processor: 443/tcp; Database: 3306/tcp | Firewall, IDS, host firewall |
CDE - Database | Store encrypted card data | Payment Gateway: 3306/tcp; Backup: 3306/tcp | Deny all | Firewall, encryption, host firewall |
Management Network | System administration | Corporate: 443/tcp | CDE: 22/tcp, 443/tcp | MFA, jump server, session recording |
Corporate Network | Business operations | Internet: 443/tcp | Internet: various; Management: 443/tcp | Standard enterprise security |
Phase 3: Implementation (Weeks 9-16)
Implementation must be phased to avoid business disruption. Here's my standard approach:
Week 9-10: Prepare Infrastructure
Deploy new firewalls/network equipment
Create VLANs and routing infrastructure
Set up monitoring and logging
Configure backup and recovery
Week 11-12: Implement Core Segmentation
Apply initial firewall rules (permissive at first)
Migrate systems to new network segments
Monitor traffic patterns
Identify required connections
Week 13-14: Tighten Security Controls
Convert from permissive to restrictive rules
Implement explicit deny-all default policies
Add intrusion detection/prevention
Enable detailed logging
Week 15-16: Validation and Refinement
Test all business functions
Perform segmentation validation testing
Document final configuration
Train operations team
Phase 4: Testing and Validation (Weeks 17-20)
This is non-negotiable. PCI DSS requires proof that segmentation works.
My Comprehensive Segmentation Testing Methodology:
Test Type | Purpose | Frequency | Pass Criteria |
|---|---|---|---|
Firewall Rule Review | Verify rules match design | Before each assessment | No unauthorized rules, no overly permissive rules |
Network Scan | Identify unauthorized paths | Bi-annually | No unexpected network paths between zones |
Penetration Testing | Attempt to bypass segmentation | Annually | Cannot pivot from out-of-scope to CDE |
Traffic Analysis | Monitor actual network flows | Monthly | All traffic matches expected patterns |
Configuration Audit | Verify consistent configuration | Quarterly | All systems match baseline configuration |
Phase 5: Ongoing Maintenance (Continuous)
Here's where most organizations fail: they think segmentation is a one-time project. It's not. It's an ongoing operational discipline.
I set up a maintenance framework for every client:
Monthly:
Review firewall change requests
Analyze traffic logs for anomalies
Verify no new paths to CDE
Update network documentation
Quarterly:
Configuration compliance checks
Rule optimization review
Sunset unused rules
Update data flow diagrams
Bi-Annually:
Full segmentation validation testing
Penetration testing focused on segmentation
Review and update segmentation strategy
Train new staff on segmentation controls
Common Segmentation Mistakes (And How to Avoid Them)
After seeing dozens of implementations, I've witnessed the same mistakes repeatedly. Let me save you from making them.
Mistake #1: "Set It and Forget It" Mentality
The Problem: I audited a company that implemented excellent segmentation two years prior. But nobody had reviewed it since. Over time, 47 firewall rules had been added—many with "temporary" in the description. Several created paths directly into the CDE from the corporate network.
The Solution: Treat segmentation like you treat your financial books—regular review and reconciliation are non-negotiable. Set up a formal change control process:
Firewall Change Request Process:
1. Business justification required
2. Security review and approval
3. Temporary rules expire automatically after 30 days
4. All rules reviewed quarterly
5. Annual cleanup of unused rules
Mistake #2: Over-Complicated Segmentation
The Problem: I've seen organizations create Byzantine network architectures with dozens of VLANs, complex routing, and hundreds of firewall rules. It becomes impossible to manage, understand, or audit.
One client had 127 different network segments when they really needed about 15. Their firewall had over 3,000 rules. When I asked the network engineer to explain the segmentation strategy, he couldn't—because it had grown organically with no overall design.
The Solution: Simplicity is security. Start with these basic zones:
Internet-facing DMZ
CDE (further subdivided if needed)
Management network
Corporate network
Guest network
Only add complexity when there's a clear security or business benefit.
"The best network segmentation design is the simplest one that meets your security requirements. Complexity is the enemy of both security and compliance."
Mistake #3: Ignoring Encrypted Tunnels and VPNs
The Problem: Firewalls can't inspect what they can't see. Encrypted tunnels can bypass your carefully designed segmentation.
I discovered this at a healthcare provider. They had solid segmentation, but developers had set up an encrypted SSH tunnel from their workstations (on the corporate network) directly to production database servers (in the CDE) to make debugging easier.
From a compliance perspective, that encrypted tunnel meant the entire corporate network was now connected to the CDE—destroying their segmentation.
The Solution:
Explicitly block or tightly control VPN and tunnel protocols
Use application-layer gateways that can inspect encrypted traffic
Implement host-based controls that prevent unauthorized tunnels
Monitor for tunnel establishment attempts
Mistake #4: Weak Management Network Security
The Problem: Management networks need access to the CDE for administration. But if the management network isn't secured, it becomes a backdoor.
I've seen this pattern too many times:
IT workstations on corporate network
Those workstations can access management network
Management network can access CDE
Result: Corporate network is effectively connected to CDE
The Solution: Implement a jump server architecture:
Security Layer Architecture:
Corporate Network
↓ (MFA Required)
Jump Server (hardened, monitored, session recorded)
↓ (MFA + IP restriction)
Management Network
↓ (Strict ACLs)
CDE
Mistake #5: Inadequate Monitoring and Alerting
The Problem: Segmentation without monitoring is security theater. You need to know if someone is trying to bypass your controls.
The Solution: Implement comprehensive monitoring:
What to Monitor | Why It Matters | Alert Threshold |
|---|---|---|
Denied connections | Unauthorized access attempts | Any denied connection to CDE |
New firewall rules | Potential segmentation bypass | Any rule change |
Unusual traffic patterns | Potential compromise | Traffic from unexpected sources |
Configuration changes | Drift from baseline | Any configuration modification |
VPN/tunnel establishment | Potential segmentation bypass | Any tunnel to/from CDE |
Real-World Segmentation Architectures
Let me show you three actual architectures I've implemented, adapted for different scenarios.
Architecture 1: Small E-Commerce Business
Scenario: $5M annual card transactions, hosted payment page, 15 employees
├─ Internet-Facing (DMZ)
│ └─ Web Server (no card data - uses hosted payment page)
│ ↓ (sends customer to payment page)
│
├─ Payment Processor (Third-Party SaaS)
│ └─ Handles all card data
│ ↓ (sends token back)
│
└─ Internal Network (OUT OF SCOPE!)
├─ Order management (stores tokens only)
├─ Employee workstations
└─ Business systemsThis business eliminated their CDE entirely by using a hosted payment page. Their PCI compliance became a SAQ A questionnaire instead of a full Report on Compliance. Annual savings: $180,000+.
Architecture 2: Mid-Sized Retailer with Stores
Scenario: 50 retail locations, central payment processing, $45M annual transactions
Internet
↓
Border Firewall
├─→ DMZ (Web Servers - token-based checkout)
│
├─→ CDE Network (VLAN 100)
│ ├─ Payment Gateway
│ ├─ Token Vault
│ ├─ Encrypted Database
│ └─ Store POS Systems (via secure VPN)
│
├─→ Management Network (VLAN 200)
│ ├─ Jump Servers (MFA required)
│ └─ Monitoring Systems
│
└─→ Corporate Network (VLAN 300)
├─ Employee Workstations
├─ Email/Office
└─ Business Applications (using tokens)
This architecture kept the CDE small while supporting 50 retail locations. Key features:
Site-to-site VPNs from stores terminate in CDE
Corporate users cannot access CDE directly
Management requires MFA and uses jump servers
Tokens used everywhere outside CDE
Architecture 3: Payment Service Provider (Complex Environment)
Scenario: Processing for 500+ merchants, complex integrations, $500M annual transactions
Internet
↓
Multi-Layer Firewall + IPS + DDoS Protection
↓
├─ External DMZ (VLAN 10)
│ ├─ Load Balancers
│ └─ API Gateways (TLS termination)
│ ↓
├─ Application DMZ (VLAN 20)
│ ├─ Web Application Servers
│ └─ API Processing Servers
│ ↓
├─ CDE - Processing (VLAN 100)
│ ├─ Payment Processing Engine
│ ├─ Tokenization Service
│ └─ Fraud Detection Systems
│ ↓
├─ CDE - Data (VLAN 110)
│ ├─ Primary Database (encrypted)
│ ├─ Replica Databases
│ └─ Backup Systems
│ ↓
├─ Management (VLAN 200)
│ ├─ Jump Servers (MFA + IP restriction)
│ ├─ SIEM/Log Aggregation
│ └─ Security Monitoring
│ ↓
├─ Development (VLAN 300 - OUT OF SCOPE)
│ ├─ Dev/Test Environments
│ └─ No production data allowed
│ ↓
└─ Corporate (VLAN 400 - OUT OF SCOPE)
├─ Office Systems
└─ No connection to CDE
This environment has microsegmentation within the CDE itself:
Processing layer separated from data layer
Each service has its own security policy
Development completely isolated
Multiple layers of security between Internet and cardholder data
Tools and Technologies That Make Segmentation Easier
After years of implementation experience, here are my go-to tools:
Network Security Tools
Tool Category | Recommended Solutions | Why I Use Them |
|---|---|---|
Next-Gen Firewalls | Palo Alto, Fortinet, Cisco ASA | Deep packet inspection, application awareness, excellent logging |
Network Monitoring | SolarWinds, Nagios, Zabbix | Traffic analysis, performance monitoring, anomaly detection |
SIEM | Splunk, LogRhythm, IBM QRadar | Centralized logging, compliance reporting, threat detection |
Vulnerability Scanning | Nessus, Qualys, Rapid7 | PCI ASV compliance, continuous monitoring, asset discovery |
Network Access Control | Cisco ISE, Aruba ClearPass | Device authentication, posture assessment, dynamic segmentation |
Cost-Benefit Analysis: Is Segmentation Worth It?
Let me answer this question with real numbers from a composite of several clients.
Investment Required
Initial Implementation (One-Time Costs):
Item | Cost Range | Notes |
|---|---|---|
Network equipment (firewalls, switches) | $50,000 - $200,000 | Depends on environment size |
Professional services (design + implementation) | $75,000 - $250,000 | 3-6 month project |
Internal labor (IT team time) | $40,000 - $100,000 | Significant staff time required |
Testing and validation | $15,000 - $40,000 | Initial segmentation testing |
Documentation and training | $10,000 - $25,000 | Procedures, training materials |
TOTAL INITIAL INVESTMENT | $190,000 - $615,000 | Wide range based on complexity |
Ongoing Costs (Annual):
Item | Annual Cost | Notes |
|---|---|---|
Semi-annual segmentation testing | $20,000 - $40,000 | PCI requirement |
Monitoring and maintenance | $30,000 - $60,000 | Staff time |
Equipment maintenance/licenses | $15,000 - $40,000 | Support contracts |
TOTAL ANNUAL COSTS | $65,000 - $140,000 | Ongoing operational expenses |
Return on Investment
Annual Savings from Reduced Scope:
Benefit | Annual Savings | Explanation |
|---|---|---|
Reduced ASV scanning costs | $40,000 - $80,000 | Fewer systems to scan quarterly |
Lower penetration testing costs | $60,000 - $120,000 | Smaller test scope |
Reduced log management/SIEM | $50,000 - $150,000 | Fewer systems generating logs |
Lower patch management overhead | $30,000 - $70,000 | Fewer systems requiring PCI patching |
Simplified audit process | $40,000 - $100,000 | Less complex assessments |
Reduced compliance staff time | $50,000 - $100,000 | Less time managing compliance |
TOTAL ANNUAL SAVINGS | $270,000 - $620,000 | Substantial ongoing savings |
Break-Even Analysis:
For a typical mid-sized organization:
Initial investment: ~$350,000
Annual savings: ~$400,000
Break-even: 10-11 months
After year one, you're saving money every year while maintaining better security.
My Final Advice After 15+ Years
Network segmentation transformed my approach to security. Early in my career, I thought it was just a compliance checkbox. Now I understand it's fundamental security architecture.
Here are my core principles, learned through success and failure:
1. Start with the data: Map where cardholder data actually flows before designing anything.
2. Simplicity wins: The most elegant solution is usually the simplest one that meets requirements.
3. Defense in depth: Multiple layers of segmentation provide better protection than a single boundary.
4. Trust but verify: Test your segmentation regularly. Assumptions kill compliance programs.
5. Document obsessively: If it's not documented, it doesn't exist for PCI purposes.
6. Automation is your friend: Manual processes don't scale; automate monitoring and testing.
7. Culture matters: Segmentation fails when the organization doesn't understand its importance.
"Perfect segmentation doesn't exist. But good segmentation, consistently maintained, will protect your business when everything else fails."
Your Segmentation Roadmap
If you're starting your segmentation journey, here's my recommended path:
Months 1-2: Foundation
Complete data discovery
Map current network topology
Identify all systems in CDE
Document current state
Build business case
Months 3-4: Design
Develop segmentation architecture
Design firewall rule sets
Plan implementation phases
Get stakeholder buy-in
Procure equipment/services
Months 5-7: Implementation
Deploy infrastructure
Migrate systems to new segments
Implement firewall rules
Configure monitoring
Train operations team
Months 8-9: Validation
Conduct segmentation testing
Perform penetration testing
Fix identified issues
Document final architecture
Prepare for assessment
Month 10+: Maintenance
Implement change control
Regular monitoring and testing
Continuous improvement
Stay ahead of threats
The Bottom Line
Network segmentation is hard. It requires investment, expertise, and ongoing commitment. But after helping dozens of organizations through this journey, I can tell you with certainty:
It's worth every penny and every hour you invest.
The organizations that get segmentation right don't just achieve compliance—they build resilient, secure, and manageable payment environments. They sleep better at night knowing that even if an attacker breaches their perimeter, they can't easily reach the crown jewels.
And when (not if) an incident occurs, proper segmentation is often the difference between a minor security event and a catastrophic breach that destroys the business.
Choose segmentation. Choose security. Choose long-term success.