I’m sitting here in the back of the session where the 1.2 version of the standard is reviewed, and it looks like Network Segmentation is the stop down. After hearing many people state their case on segmentation, I really have to stand behind the Technical Working Group here. I’m not sure how much clearer it could be made. The standard states that:

Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network.

The TWG was asked to clarify further and the only comment that was made was “I guess we could tweak it a little.”

Be strong TWG. Don’t give into peer pressure. The definition is perfectly fine.

This post originally appeared on BrandenWilliams.com.