I am tasked with ensuring PCI compliance on computers that process credit card data. I know I can use VLANs for segmenting them from the main network but should I allow all other vlans to access the new subnet? If I don't then file servers or other resources that exist on the main network will be unavailable? What is the best practice?
Solved! Go to Solution.
For PCI compliance, you really need guidelines from you security department, as any organization that deal with credit card information is subject to audit ones or multiple times a year (depending on the amount of transaction). As for best practice, you can use router ACL, to allow or disallow communication, but the ACLs need to be logged and send to a syslog server. In addition, you also have to log all flows and be able to keep the data for a certain amount of time in case you get audited. Overall, firewalls do a better job when it comes to controlling traffic between hosts/segments as well as logging flows based on ports and protocols.
See page 12 in this doc: