Verifone Omni 5750 Ethernet
The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data.
Therefore, storage of card data is not required to put you in scope; transmission is sufficient. Your terminals will be transmitting cardholder data, and so are "in scope" for PCI requirements.
Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce:
- The scope of the PCI DSS assessment
- The cost of the PCI DSS assessment
- The cost and difficulty of implementing and maintaining PCI DSS controls
- The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)
In other words, any system connected to the network with processing terminals on it is "in scope", and will have to be scanned and audited as well. You only have to segment it if you don't want to attest that it's up to PCI security snuff every year! (That being said, it's probably cheaper and easier for you to segment it than to subject everything on your network to PCI requirements).
The PCI DSS Self-Assessment Questionnaire outlines the different types of businesses and what their broad requirements are. Based on your description, you're SAQ "C", outlined on page 11. I've quoted part of it below and highlighted the bullet stating that, yes, they want you to segment your network:
SAQ C merchants validate compliance by completing SAQ C and the associated Attestation of Compliance, confirming that:
- Your company has a payment application system and an Internet connection on the same device and/or same local area network (LAN);
- The payment application system/Internet device is not connected to any other systems within your environment (this can be achieved via network segmentation to isolate payment application system/Internet device from all other systems);
- Your company store is not connected to other store locations, and any LAN is for a single store only;
- Your company retains only paper reports or paper copies of receipts;
- Your company does not store cardholder data in electronic format; and
- Your company’s payment application software vendor uses secure techniques to provide remote support to your payment application system.