Network segmentation

The PCI DSS requires that firewall services be used with Network Access Translation (NAT) or Port Address Translation (PAT) to separate network segments into logical security domains based on the environmental requirements for Internet access.

Traditionally, this corresponds to the creation of at least a DMZ and a trusted network segment where only authorized, business-justified traffic from the DMZ is allowed to connect to the trusted segment. No direct incoming Internet traffic to the trusted application environment can be allowed. Additionally, outbound Internet access from the trusted segment must be limited to required and justified ports and services.

Refer to the Order Capture Data Flow diagram in the topic "Data flow diagram depicting the order capture data flow" for an understanding of the flow of encrypted data associated with the Sterling™ Sensitive Data Capture Server.

In the illustration in the topic "Typical network implementation", PAN information flows from the Internet user under SSL/TLS to the SSDCS in the cardholder data network, and then to the customer's credit card vault for tokenization. PAN information from Internal users flows to an internal SSDCS, which is in an internal cardholder data network for tokenization.

Tokens are used only in the IBM® applications in the noncardholder data network.