Many organizations segment their networks at their places of business today with one or more firewalls to reduce the number of devices in PCI scope. Often, they will move all their payment terminal devices onto one VLAN segment behind their existing store main firewall and leave all non-payment processing devices in a different VLAN segment. This is very good approach. If their firewall supports VLANs or they replace their main store firewall with a new one that supports VLANs they typically don’t add much more complexity in reducing the devices in PCI scope.
Other organizations will sometimes use a separate new firewall to isolate the payment terminal devices from other devices. This is often a quick and lower cost way to segment a store network. When this is done it is important to remember that the logs from the new firewall introduced to perform the segmentation must be also be collected on a centralized log server per PCI DSS 10.5.4 and that the new firewall and logs must be monitored for proper operation per PCI DSS 1.2 and 1.3.
Organizations that introduce a new firewall to protect payment terminal devices with segmentation and reduce scope will need to be sure that their log collection process in place for firewalls is extended to include the new logs from the new firewall. Additionally, any automation in place to detect open ports in firewalls or configuration tool / page break-in’s, denial of service, spoofing or other various attacks that may be used against the new firewall must also be pointed at the new firewall and its logs to be sure it is being monitored adequately once the new firewall is in place.