Network segmentation basics and PCI Compliance

In My Humble Opinion
1

Here’s my set up and what I’d like to accomplish.
I have some POS equipment that, for the purposes of (better) PCI compliance, I’d prefer not to be able to communicate with the rest of the network and vice versa.

I have a Ubiquiti EdgeRouter, connected via it’s ETH1 port to a Netgear L3 switch, which is then connected to the rest of the devices/switches/WAPs in the building.

Currently it’s a flat network. So everyone can see and talk to everyone else, at least as far as the network is concerned.

What I’m trying to decide is the correct way for me to do this, and I seem to have a handful of options.
1)Leave well enough alone.
2)Put all the POS equipment on it’s own switch, run a wire back to the L3 switch and tell it to tag that port.
3)Put all the POS equipment on it’s own switch and connect that switch to the ETH2 port on the router.
4)Set up a second subnet and just update the network information on the individual devices.

The second option, a VLAN, feels like the correct answer, but I’m not really sure. I’m also not sure what the difference is between having two subnets vs two interfaces. It seems like it’s just a logical separation vs a physical (and logical) one.
And, maybe I’m wrong, but I believe any of these options, once the firewall rules are created, will accomplish what I’m trying to do. In fact, that’s part of my confusion. Some reading over the past few days isn’t giving me any obvious reasons to pick one over the other.

Also, there’s a 5th option. Use the firewall to prevent the POS equipment from talking to anything else thus restricting it to only being able to send data to and receive data from the WAN.

One possible reason to leave well enough alone is that I assume all the cardholder data from the POS is encrypted to begin with and the entire network would still be in scope (I believe) since my computer still uses the processor’s virtual terminal via a browser. But I still feel like segmenting out the POS equipment is a good idea. Especially since that also means that any malware the finds itself on the POS equipment (it runs Android under the hood) can’t find it’s way to the rest of the network.

2

Can’t help on specifics; been out of the field too long.

But conceptually you need to be clear whether you’re trying to protect the POS gear from intrusion / eavesdropping originating in the rest of the network, or to protect the rest of the network from intrusion / eavesdropping originating in the POS gear.

Sometimes the barriers you can erect are bidirectional, and sometimes they are unidirectional. You probably need to dig more carefully into what PCI requires or recommends to be clear what you’re trying to accomplish.

Only when the “what” is clear does the “how” start to become relevant.

3

I would assume both directions. The POS shouldn’t have any reason to communicate with anything else on the network and nothing else on the network needs to communicate with it. I don’t think there’s any good reason to even allow the two sides to be aware of each other.

In all the years I’ve had network attached POS equipment, I think the most I’ve ever done is ping it to see if it was online as part of troubleshooting something. And that was mostly to see if I could get any easy answers before I get up and walk over to it.