PCI DSS Scope Determination Case Study

Reasoning for this case study - Defending risk claims under audit scrutiny.

Overview

This Project treats network segmentation as a risk clam that must be defended.

The Scenario

Company: EZ Retail Solutions

Industry: E-commerce platform provider

Annual Credit Card Transactions: 2.4 million

Current State: Pursuing PCI DSS v4.0 compliance

The company processes credit card payments through their web application and has implemented network segmentation. My role is to assess whether this segmentation genuinely reduces PCI scope or creates a false sense of security.

The company's current documentation states:

· "The CDE is fully segmented from the corporate network"

· "Only authorized systems can communicate with the CDE"

· "Administrative access requires going through the jump host"

· "All CDE traffic is logged and monitored"

Current Network Architecture

Internet

↓

Perimeter Firewall

↓

DMZ Zone

(10.1.0.0/24)

Web Servers (3) (10.1.0.10-12)

Load Balancers (10.1.0.5)

Corporate Zone

(10.2.0.0/16)

AD Domain Controllers (10.2.1.10-11

Jump Host (10.2.1.50)

Corporate Zone 2

(10.2.0.0/16)

File Servers (10.2.20-22)

Workstations (10.2.2.0/24

(Claimed Segmentation Boundary)

Cardholder Data Environment (CDE)

(10.3.0.0/24)

Payment App Server = (10.3.0.10)

Card Database Server = (10.3.0.20)

HSM Appliance = (10.3.0.30)

Tokenization Service = (10.3.0.40)

Log Collector (Splunk Forwarder) (10.3.0.50)

Management Zone

(10.4.0.0/24)

SIEM (Splunk) = 10.4.0.10

Backup Server = 10.4.0.20

Patch Management (WSUS) 10.4.0.30