By NHI Mgmt Group Editorial TeamPublished 2026-06-14Domain: Cyber SecuritySource: Elisity

TL;DR: PCI DSS 4.0 does not require network segmentation, but it makes segmentation the practical mechanism for shrinking cardholder data environment scope, with documented, justified, and penetration-tested boundaries under Requirements 1.2.6 and 11.4.1, per the PCI Security Standards Council. Scope reduction is an architecture decision that directly changes cost, testing burden, and residual risk.


At a glance

What this is: PCI DSS 4.0 treats segmentation as the main way to reduce cardholder data environment scope, while requiring the boundary to be documented, justified, and tested.

Why it matters: For IAM and security teams, the lesson is that access boundaries only reduce risk when they are provable, because any path into the CDE preserves scope and assessment burden.

By the numbers:

  • PCI DSS 3.2.1 was retired on March 31, 2024, leaving 4.0 as the only active version.
  • The future-dated requirements introduced in PCI DSS 4.0 became mandatory on March 31, 2025.

👉 Read Elisity's guide to PCI DSS 4.0 segmentation and CDE scope reduction


Context

PCI DSS 4.0 segmentation is a scoping control before it is a network design choice. The standard does not force segmentation, but it makes the Cardholder Data Environment smaller only when access paths are demonstrably cut, which is why the primary question for practitioners is not whether to segment, but whether the boundary can be proven.

That distinction matters to IAM and security teams because the same governance logic appears across privileged access, workload access, and non-human identity control. If a system can still reach the CDE, it remains in scope, so segmentation, identity, and privilege controls have to be assessed together rather than treated as separate compliance tasks.


Key questions

Q: How should security teams implement PCI DSS 4.0 segmentation without creating hidden scope creep?

A: Start by mapping every system that can store, process, transmit, or influence card data, then prove which systems truly cannot reach the CDE. Document each allowed path, assign ownership, and retest after significant change. The goal is not a neat diagram. It is a boundary that remains defensible under assessment and penetration testing.

Q: Why do segmentation failures often turn into IAM and PAM problems as well?

A: Because network isolation can be undermined by privileged identities that cross the boundary through jump hosts, management tools, or service accounts. If those credentials are overbroad, the CDE remains reachable even when the network looks segmented. PCI scoping has to include identity and privilege paths, not just firewall rules.

Q: What signals show that PCI segmentation is still working as intended?

A: Look for a small and stable set of approved paths into the CDE, regular validation results from segmentation testing, and a low volume of temporary exceptions. If new systems can reach card data without a documented justification, or if test results depend on tribal knowledge, the boundary is degrading.

Q: Which frameworks help teams align segmentation with compliance and control testing?

A: PCI DSS v4.0 is the primary standard for payment environments, but NIST SP 800-53 and NIST SP 800-207 help teams connect segmentation to access control, auditability, and zero trust design. Use them together to translate boundary design into measurable control objectives.


Technical breakdown

How PCI DSS scoping turns segmentation into a control boundary

The Cardholder Data Environment includes systems that store, process, or transmit card data, plus connected or security-impacting systems that can affect it. PCI DSS then treats segmentation as the mechanism that removes systems from scope by proving they cannot reach or influence the CDE. In practice, that means the boundary is not a diagram. It is an enforced set of allowed paths, service rules, and administrative access constraints. If the assessor cannot trust the isolation, the systems remain in scope. This is why scoping, segmentation, and least privilege are inseparable in PCI programs.

Practical implication: Practitioners should document every path into the CDE and treat any unproven path as in scope until testing confirms isolation.

Why Requirement 11.4.1 makes segmentation an evidence problem

PCI DSS 4.0 expects segmentation to be validated through penetration testing, not just configuration review. Requirement 11.4.1 requires the methodology to include testing that demonstrates out-of-scope networks cannot reach the CDE. That makes segmentation an evidence problem: the boundary must survive active bypass attempts, change control, and periodic retesting. The practical consequence is that segmentation only reduces audit scope when the organization can show the test result, the testing method, and the change history that keeps the boundary trustworthy over time.

Practical implication: Build segmentation testing into change management so scope reduction is never based on stale assumptions.

How identity-based microsegmentation changes the PCI scope model

Traditional network segmentation works at the zone level, but identity-based microsegmentation narrows policy to a specific device or workload. That matters in PCI environments because many connected systems are operational devices that cannot run agents cleanly, and static IP-based rules tend to drift as addresses change. Identity-based enforcement keeps the policy attached to the asset itself, which makes the boundary more precise and easier to reason about. It does not remove PCI obligations, but it can reduce the number of systems that need to be treated as inside the CDE when the policy is enforced consistently.

Practical implication: Use identity-aware policy where possible, then verify that the CDE boundary still passes the required segmentation test.


NHI Mgmt Group analysis

Segmentation is a governance decision, not a network preference. PCI DSS 4.0 shows that the real control question is who and what can still affect the CDE after the boundary is drawn. If the answer is too broad, scope expands with it, and the assessment burden follows. Practitioners should treat segmentation as a formal governance boundary with evidence, ownership, and review cadence, not an engineering convenience.

Identity and privilege determine whether segmentation is real. A segmented network can still be functionally flat if management planes, directory services, administrative jump hosts, or privileged service accounts can traverse it unchecked. That is where IAM and PAM intersect directly with PCI scoping. If identity-based access can cross the boundary without tight constraint, segmentation becomes a diagram rather than a control. Practitioners should align network policy with privilege policy so administrative access does not quietly reintroduce scope.

Microsegmentation is best understood as scope compression. The value is not merely fewer packets crossing a firewall. The value is fewer assets that must be treated as part of the CDE, fewer paths to test, and fewer exceptions to defend under audit. That makes the concept of scope compression useful for PCI programmes because it describes the practical effect of narrowing reachability without overselling the technology. Practitioners should measure how much of the environment still has a path to card data, not just whether segmentation exists.

PCI 4.0 raises the bar on proof, which will expose weak change control. Segmentation that once looked adequate in design review can fail under test if firewall rules, remote access, or support workflows drift over time. The standard’s emphasis on validation means programs that lack disciplined change control will struggle first. Practitioners should assume the weakest point is not the rule set itself but the exception process around it.

This topic also matters to non-human identity governance because service accounts often become the hidden bridge into the CDE. Administrative APIs, monitoring tools, and automation accounts can preserve reachability even when user access is tightly segmented. That is why PCI scoping should be read through an identity lens as well as a network lens. Practitioners should map every non-human path that can reach payment systems and remove standing access wherever it is not essential.

What this signals

Scope compression will become a more useful operating metric than segmentation coverage alone, because PCI programmes increasingly need to show how much of the environment can still reach sensitive systems. Teams that cannot quantify reachable paths will struggle to demonstrate durable scope reduction.

The identity layer will matter more over time because non-human identities, administrative services, and privileged workflows can undo a clean network design. When IAM and PAM are not aligned with segmentation policy, the CDE stays reachable even if the perimeter looks disciplined.

Practitioners should expect auditors to ask harder questions about evidence, change control, and exception handling. That means the most defensible programs will pair segmentation testing with identity review, privileged access analysis, and periodic revalidation under NIST SP 800-207 Zero Trust Architecture.


For practitioners

  • Map every CDE-adjacent access path Inventory management planes, jump hosts, directory services, monitoring tools, and non-human accounts that can reach payment systems. Treat any unverified path as in scope until segmentation testing proves otherwise.
  • Tie segmentation rules to business justification Document each allowed service, protocol, and port across the boundary with a clear owner and purpose so the allow list can survive audit review under Requirement 1.2.6.
  • Test the boundary like an attacker would Run penetration tests against the segmentation boundary after meaningful changes and on the required cadence, with explicit attempts to pivot from out-of-scope networks into the CDE.
  • Review privileged access that bypasses the network model Check whether admin credentials, remote support tooling, or service accounts can still traverse the boundary even when network policy looks tight.
  • Track scope compression as a programme metric Measure how many systems remain reachable from the CDE, how many exceptions are in place, and how often segmentation assumptions are revalidated.

Key takeaways

  • PCI DSS 4.0 does not require segmentation, but it does make segmentation the main mechanism for reducing CDE scope.
  • The control only works when the boundary is documented, justified, and proven through testing, not when it exists only in architecture diagrams.
  • Identity paths, especially privileged and non-human access, can silently re-expand scope if they are not governed alongside network policy.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the technical controls, while PCI DSS v4.0 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
PCI DSS v4.0Req. 1.2.6The article centers on allowed paths across the CDE boundary and their justification.
NIST CSF 2.0PR.AC-4Scope reduction depends on least-privilege access paths into sensitive systems.
NIST SP 800-53 Rev 5AC-4Information flow enforcement maps directly to segmentation boundary control.
NIST Zero Trust (SP 800-207)Zero trust reinforces continuous verification of boundary access.
CIS Controls v8CIS-12 , Network Infrastructure ManagementNetwork boundary management and rule review are central to the article.

Review segmentation rules and network paths as part of routine infrastructure management.


Key terms

  • Cardholder Data Environment: The Cardholder Data Environment is the set of systems, people, and processes that store, process, or transmit card data, plus anything that can affect their security. In PCI scoping, reachability and administrative influence matter as much as direct data handling.
  • Network Segmentation: Network segmentation is the practice of separating systems so traffic can only move along approved paths. In PCI environments, it is valuable because it can remove systems from scope only when the isolation is documented, justified, and validated.
  • Microsegmentation: Microsegmentation applies granular access policy to individual workloads or devices rather than broad network zones. It reduces lateral movement and can compress PCI scope when the policy is enforced consistently and still passes testing against the CDE boundary.
  • Scope Reduction: Scope reduction is the process of shrinking the number of systems that must be assessed against a control framework. In PCI DSS, it only holds when segmentation or another isolation method can be proven to prevent connectivity to the Cardholder Data Environment.

What's in the full article

Elisity's full article covers the operational detail this post intentionally leaves for the source:

  • The exact PCI DSS 4.0 requirement references that govern boundary rules, validation, and retesting.
  • The step-by-step scoping logic for deciding which connected systems remain in the Cardholder Data Environment.
  • The testing cadence and evidence expectations assessors look for when segmentation is used to reduce scope.
  • The comparison between traditional network segmentation and identity-based microsegmentation in payment environments.

👉 The full Elisity article covers segmentation requirements, testing cadence, and microsegmentation options in detail

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management in practical programme terms. It helps security practitioners connect identity controls to wider access and risk decisions.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-14.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org