Network segmentation isolates CDE from non-cardholder systems
Why it matters
PCI-DSS 4.0 Req 1.2 requires that network security controls are defined, implemented, and maintained; Req 1.3 prohibits direct connections between the internet and any component in the CDE. A flat network where your payment webhook receiver, application database, and CDE share a single VPC and security group means any web-layer compromise — SSRF, RCE in a dependency — provides direct lateral movement to cardholder data with no network barrier. CWE-668 (Exposure of Resource to Wrong Sphere) and NIST SC-7 (Boundary Protection) both require explicit network segmentation between trust zones. OWASP A05 (Security Misconfiguration) flags flat networks as a routine finding.
Severity rationale
High because a non-segmented network allows lateral movement from an internet-facing component directly into the CDE with no firewall or zone boundary requiring breach — one exploited webhook is full CDE access.
Remediation
Separate CDE resources into their own VPC or subnet with explicit security group rules that restrict cross-zone traffic. Internet traffic must transit a DMZ layer (ALB, WAF, or API Gateway) before reaching the application tier, and the application tier must use a separate security group from the CDE. Add an ASCII architecture diagram to docs/cde-architecture.md so the boundary is auditable.
# Dedicated CDE VPC
resource "aws_vpc" "cde" {
cidr_block = "10.1.0.0/16"
tags = { Name = "cde-vpc" }
}
# CDE security group — only accepts traffic from app tier
resource "aws_security_group" "cde" {
vpc_id = aws_vpc.cde.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.app.id]
}
}
Detection
-
ID:
network-segmentation -
Severity:
high -
What to look for: Count all VPCs, subnets, security groups, and network policies defined in infrastructure code (Terraform, CloudFormation, docker-compose, Kubernetes manifests). For each network zone, classify it as CDE, DMZ, or application tier. Count the number of security group ingress rules that restrict traffic between zones (not allow-all). Check for at least 2 distinct network zones with restricted cross-zone traffic.
-
Pass criteria: At least 2 distinct network zones exist (e.g., CDE VPC and application VPC, or CDE subnet and application subnet). Security groups or network policies restrict traffic between zones with at least 1 explicit ingress rule per zone boundary. Documentation or comments show the network architecture with CDE boundary. Report: "X network zones found, Y security groups, Z restricted ingress rules."
-
Fail criteria: Only 1 network zone (all services in a single VPC/security group), or no network segmentation in infrastructure code, or CDE and application traffic share the same security group.
-
Skip (N/A) when: All payment processing delegated to third-party (no CDE in your infrastructure — no payment webhook handling, no card data storage, no payment API routes).
-
Detail on fail: Describe the missing segmentation. Example:
"All services in 1 security group (app-sg) with allow-all ingress on ports 0-65535. No CDE isolation. 0 distinct network zones found."or"No Terraform/CloudFormation/Kubernetes network configs found. Cannot determine CDE boundary." -
Remediation: Implement network segmentation. For AWS with Terraform:
# Create separate VPC for CDE resource "aws_vpc" "cde" { cidr_block = "10.1.0.0/16" tags = { Name = "cde-vpc" } } # Create security group for CDE resource "aws_security_group" "cde" { vpc_id = aws_vpc.cde.id name = "cde-sg" ingress { from_port = 5432 to_port = 5432 protocol = "tcp" cidr_blocks = ["10.1.0.0/16"] # only from CDE subnet } ingress { from_port = 443 to_port = 443 protocol = "tcp" security_groups = [aws_security_group.app.id] # only from app servers } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } # Create DMZ for payment webhook processing resource "aws_security_group" "dmz" { vpc_id = aws_vpc.main.id ingress { from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # internet } }Document with ASCII diagram:
Internet ↓ HTTPS (443) DMZ (Webhook Receiver) ↓ Internal (10.x.x.x) App VPC (Microservices) ↓ (10.1.x.x) CDE VPC (Database, Card Processing)
External references
- pci-dss:4.0 · Req 1.2 — Network security controls are configured and maintained
- pci-dss:4.0 · Req 1.3 — Network access to and from the cardholder data environment is restricted
- cwe · CWE-668 — Exposure of Resource to Wrong Sphere
- nist:rev5 · SC-7 — Boundary Protection
- owasp:2021 · A05 — Security Misconfiguration
Taxons
History
- 2026-04-18·v1.0.0·Initial import from ecommerce-pci·automated