The average cost of a data breach for financial services organizations reached $5.97M in 2024 – more than $1M above the cross-industry average – due in part to overlapping fines from regulations like the New York Department of Financial Services (NYDFS) and the Payment Card Industry Data Security Standard (PCI DSS).
The percentage of organizations maintaining full PCI DSS compliance has steadily declined since 2020, bottoming out at just 14.3% in the run-up to the PCI DSS 4.0 deadline. This drop-off is likely due to the additional time and effort required to meet the new requirements, but it leaves businesses vulnerable to hefty fines and reputational damage.
In other words, PCI DSS sets an important standard for protecting sensitive data and minimizing risk – but achieving compliance is typically complex and labor-intensive. Financial services organizations can accelerate and streamline compliance through capabilities like:
- Microsegmentation to isolate cardholder data environments (CDEs)
- Identity-based access controls to enforce least privilege
- Multi-factor authentication (MFA) for just-in-time access
- Secure remote access requiring enhanced authorization
- Real-time visibility for monitoring and audit support
We’ll outline how a unified solution for network segmentation and identity-based access controls supports PCI DSS compliance while minimizing resource demands and operational complexity.
PCI DSS Requirements Overview
PCI DSS controls span 12 requirements across six categories tied to key objectives:
- Build and maintain secure networks and systems: Configure the proper network defenses to protect CDEs and restrict unauthorized traffic
- Protect account data: Safeguard cardholder data and authentication material with secure protocols to limit exposure risks
- Maintain a vulnerability management program: Stay ahead of evolving threats by addressing known vulnerabilities
- Implement strong access control measures: Limit access to cardholder data based on roles and responsibilities
- Regularly monitor and test networks: Continuously test security controls and monitor network activity to detect anomalies and maintain an audit trail
- Maintain and information security policy: Define and enforce clear security policies that support PCI DSS controls
To better understand how identity-enabled microsegmentation boosts PCI DSS compliance initiatives, learn how a modern solution like Zero Networks applies to specific regulatory requirements.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Flat networks or partially segmented environments make it easier for attackers to move laterally once inside; firewalls (or equivalent controls) are required to protect CDEs by restricting unauthorized traffic and regularly reviewing and updating rules.
Microsegmentation can serve as a distributed firewall through logical segmentation, dynamically isolating CDEs into secure network segments and controlling inbound and outbound traffic with granular access controls based on identity, device, and role. By replacing traditional firewalls with adaptive, set-and-forget segmentation, organizations can enforce least privilege at the network layer and reduce the risk of unauthorized access while minimizing the need for ongoing maintenance and avoiding added complexity.
Requirement 3: Protect stored cardholder data
Stored cardholder data must be secured using strong encryption or equivalent techniques and protected against unauthorized access.
By microsegmenting their networks, financial services organizations can isolate systems storing cardholder data and enforce granular access policies. Identity segmentation solutions with just-in-time multi-factor authentication capabilities add an additional layer of security, barring unauthorized users from accessing sensitive repositories, while detailed logs prove that data is only accessed by approved users and systems to satisfy audit controls.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Transmission of cardholder data across open networks must be protected by robust security protocols.
Solutions with secure remote access capabilities apply strong encryption standards across public networks, ensuring remote connections are subject to secure protocols and protecting cardholder data from interception during transmission.
Requirement 7: Restrict access to cardholder data based on a “business need-to know” principle
Access to sensitive system components and cardholder data must be limited to those whose job requires it through role-based access controls that are regularly reviewed, updated, and documented.
Identity-based segmentation enables organizations to minimize user access to only what’s needed based on their role and similarly limit asset access to system components and cardholder data by implementing fine-grained controls across all system components. With just-in-time MFA, business users can gain temporary access rights for frictionless access while maintaining compliance.
Requirement 8: Identify and authenticate access to system components
PCI DSS requires that every user accessing systems with cardholder data is uniquely identified and authenticated. This ensures accountability and prevents shared credentials – a common vulnerability in internal environments and a frequent compliance issue. Compliance with this control also requires multi-factor authentication for remote access.
Robust network and identity segmentation solutions support unique user identification and secure authentication mechanisms across systems. These tools enforce the same standards for communication across users, processes, apps, and assets, ensuring MFA occurs before access is granted – and that every user session is logged, auditable, and traceable. It also adheres to access attempts, lockout duration, and session timeout requirements while securing remote connections to eliminate any risks from third-party access.
Requirement 8.4: Multi-factor authentication (MFA) for non-console access
As of PCI DSS 4.0, MFA is no longer just a recommendation – it’s mandatory for all access to the CDE, including access by internal personnel, systems, service accounts, and remote connections.
Segmentation solutions equipped with network-layer MFA enable enforcement across all CDE access paths, regardless of how users or systems connect. Identity segmentation and secure remote access solutions leverage strong authentication methods, such as app-based tokens or biometrics, to meet PCI DSS standards while minimizing friction for financial customers. Unlike most MFA solutions which are applied at layer 7, layer 3 MFA enables financial services organizations to precisely control access to network ports based on verified credentials.
Requirement 10: Track and monitor all access to network resources and cardholder data
Access to cardholder systems must be logged and reviewed daily to track user activities; audit trail history must be retained for at least one year.
Advanced network segmentation solutions provide unified, detailed visibility into all access attempts to the CDE and enable real-time monitoring of segmentation effectiveness. Up-to-date logs of access attempts, policy enforcement, and authentication events can be integrated into SIEM tools to support daily reviews and forensic investigations.
Requirement 11: Regularly test security systems and processes
This requirement mandates vulnerability scans and penetration tests to validate the effectiveness of access controls and security measures.
Microsegmentation and identity segmentation support regular testing and enable simulated attack scenarios to verify an organization’s ability to detect and prevent unauthorized access. With a unified view of network and identity activity, these solutions deliver end-to-end communications visibility, providing the validation and proof organizations need to demonstrate compliance with this requirement.
Requirement 12: Maintain a policy that addresses information security for all personnel
A documented, enforceable security policy must address all aspects of PCI DSS and demonstrate how the organization supports compliance across people, processes, and technology.
Automation-enabled solutions simplify the implementation of security policies related to network segmentation and access control, enabling organizations to provide proof of the required policies and processes to auditors – without draining resources.
Streamline PCI DSS Compliance with Zero Networks
PCI DSS 4.0 introduces stricter requirements and broader scope, but modern solutions like Zero Networks deliver the advanced microsegmentation, identity segmentation, and secure remote access capabilities organizations need to achieve and maintain compliance – without introducing bandwidth constraints or operational headaches.
By isolating sensitive environments, providing detailed audit trails, and enforcing least privilege across users, systems, and assets, Zero Networks helps organizations meet regulatory requirements faster and more effectively. To learn how you can simplify compliance in your organization, try Zero.
