PCI-DSS 4.0 Req 1.2 requires that network security controls are defined, implemented, and maintained; Req 1.3 prohibits direct connections between the internet and any component in the CDE. A flat network where your payment webhook receiver, application database, and CDE share a single VPC and security group means any web-layer compromise — SSRF, RCE in a dependency — provides direct lateral movement to cardholder data with no network barrier. CWE-668 (Exposure of Resource to Wrong Sphere) and NIST SC-7 (Boundary Protection) both require explicit network segmentation between trust zones. OWASP A05 (Security Misconfiguration) flags flat networks as a routine finding.
High because a non-segmented network allows lateral movement from an internet-facing component directly into the CDE with no firewall or zone boundary requiring breach — one exploited webhook is full CDE access.
Separate CDE resources into their own VPC or subnet with explicit security group rules that restrict cross-zone traffic. Internet traffic must transit a DMZ layer (ALB, WAF, or API Gateway) before reaching the application tier, and the application tier must use a separate security group from the CDE. Add an ASCII architecture diagram to docs/cde-architecture.md so the boundary is auditable.
# Dedicated CDE VPC
resource "aws_vpc" "cde" {
cidr_block = "10.1.0.0/16"
tags = { Name = "cde-vpc" }
}
# CDE security group — only accepts traffic from app tier
resource "aws_security_group" "cde" {
vpc_id = aws_vpc.cde.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.app.id]
}
}
ID: ecommerce-pci.network-security.network-segmentation
Severity: high
What to look for: Count all VPCs, subnets, security groups, and network policies defined in infrastructure code (Terraform, CloudFormation, docker-compose, Kubernetes manifests). For each network zone, classify it as CDE, DMZ, or application tier. Count the number of security group ingress rules that restrict traffic between zones (not allow-all). Check for at least 2 distinct network zones with restricted cross-zone traffic.
Pass criteria: At least 2 distinct network zones exist (e.g., CDE VPC and application VPC, or CDE subnet and application subnet). Security groups or network policies restrict traffic between zones with at least 1 explicit ingress rule per zone boundary. Documentation or comments show the network architecture with CDE boundary. Report: "X network zones found, Y security groups, Z restricted ingress rules."
Fail criteria: Only 1 network zone (all services in a single VPC/security group), or no network segmentation in infrastructure code, or CDE and application traffic share the same security group.
Skip (N/A) when: All payment processing delegated to third-party (no CDE in your infrastructure — no payment webhook handling, no card data storage, no payment API routes).
Detail on fail: Describe the missing segmentation. Example: "All services in 1 security group (app-sg) with allow-all ingress on ports 0-65535. No CDE isolation. 0 distinct network zones found." or "No Terraform/CloudFormation/Kubernetes network configs found. Cannot determine CDE boundary."
Remediation: Implement network segmentation. For AWS with Terraform:
# Create separate VPC for CDE
resource "aws_vpc" "cde" {
cidr_block = "10.1.0.0/16"
tags = { Name = "cde-vpc" }
}
# Create security group for CDE
resource "aws_security_group" "cde" {
vpc_id = aws_vpc.cde.id
name = "cde-sg"
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = ["10.1.0.0/16"] # only from CDE subnet
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [aws_security_group.app.id] # only from app servers
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Create DMZ for payment webhook processing
resource "aws_security_group" "dmz" {
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # internet
}
}
Document with ASCII diagram:
Internet
↓ HTTPS (443)
DMZ (Webhook Receiver)
↓ Internal (10.x.x.x)
App VPC (Microservices)
↓ (10.1.x.x)
CDE VPC (Database, Card Processing)