Banking Security Architecture & PCI-DSS Compliance — UK Regional Bank
Full security architecture redesign for a UK retail bank facing a scheduled QSA audit with known compliance gaps. Zone-based segmentation, Palo Alto App-ID policy rebuild, CDE scope reduction, CyberArk PAM rollout, and Splunk SIEM deployment — delivering a clean PCI-DSS v4.0 assessment on first submission.
0
Critical findings — QSA audit
PCI-DSS v4.0 passed on first assessment
62%
Reduction in firewall policy rules
Legacy implicit permits removed, explicit-deny baseline enforced
100%
Privileged access via PAM
No standing admin credentials on any system
<5m
Critical alert → SOC notification
Automated detection to analyst escalation SLA
The Engagement
A QSA audit scheduled. Significant gaps known. No margin for a failed assessment.
A UK regional bank, grown through a series of acquisitions over the previous decade, had accumulated a network infrastructure that reflected its history rather than any deliberate security architecture. Different technologies, inconsistent segmentation, and years of tactical change requests had produced a firewall policy with hundreds of implicit permits and a Cardholder Data Environment that had grown to include systems with no direct cardholder data function.
A QSA audit was scheduled. Internal gap analysis had already identified material shortfalls against PCI-DSS v4.0 — particularly around network segmentation, privileged access management, and centralised logging. The board needed assurance the bank could pass. The FCA had signalled heightened expectations around cyber resilience in retail banking.
Frodingham Consulting was engaged to design and deliver the remediation — working directly with the CISO, IT leadership, and the QSA team to move from a known-gaps position to a clean assessment outcome. The engagement covered architecture design, technical implementation, QSA evidence support, and complete documentation handover.
Overscoped CDE
The PCI-DSS Cardholder Data Environment had grown through acquisition to include dozens of systems with no direct card-data function. Unnecessary scope massively inflated compliance burden and audit risk.
Flat internal segmentation
Core banking, SCADA, corporate workstations, and ATM traffic shared the same internal routing domain. No meaningful boundary existed between user devices and mission-critical payment infrastructure.
Implicit permit firewall rules
Years of tactical change requests had accumulated hundreds of implicit permit rules with no documented justification. Attack surface was wide open to lateral movement once the perimeter was breached.
No PAM — standing admin accounts
Administrative credentials were standing, shared in some cases, and not session-recorded. No mechanism existed to revoke access quickly or produce an auditable record of privileged activity.
No centralised logging
Security events from firewalls, switches, and servers landed in separate management consoles with no correlation. Incident detection depended entirely on individual administrators noticing anomalies.
FCA regulatory pressure
The Financial Conduct Authority had signalled heightened scrutiny of cyber resilience controls in retail banking. A QSA audit was scheduled. The board needed assurance the organisation could pass.
Security Architecture
Interactive security zone design — select any zone to explore
The full security zone architecture from internet perimeter to out-of-band management — click any zone to see the boundary controls, permitted flows, and systems at that layer.
Untrusted · External
PA-5220 Active/Passive · Panorama managed
Controlled external exposure · WAF enforced
PCI-DSS v4.0 · Minimum scope · Isolated
Mission-critical · No internet access
802.1X NAC · CrowdStrike EDR · Proxy enforced
Isolated VLAN · XFS protocol only · PCI scope
Out-of-band · Splunk SIEM · CyberArk PAM
Select any security zone to explore controls, permitted flows, and systems
Security Controls Implemented
Architecture, tooling, and policy — rebuilt from the ground up
The remediation programme addressed every material gap identified in the internal assessment — from the firewall policy layer through to endpoint access control, privileged account management, and security monitoring.
Palo Alto App-ID Policy
Replaced all port-based firewall rules with App-ID policy — every permitted flow is identified by application signature, not TCP port. Port-hopping exploits, protocol abuse, and legacy implicit permits were eliminated in a single policy rebuild.
CDE Scope Reduction
Conducted a full PCI-DSS v4.0 scoping exercise. Systems with no direct cardholder data function were removed from CDE scope and re-homed to appropriate internal zones. CDE surface area reduced by over 70% — fewer systems to harden, audit, and protect.
CyberArk PAM Rollout
CyberArk Privilege Cloud deployed across all zones. Every privileged access session — to any device or server — is now brokered through PAM, time-limited, and session-recorded. All standing admin accounts were removed and rotated. Emergency access requires a documented break-glass procedure.
Splunk SIEM & SOC Enablement
Splunk Enterprise deployed to aggregate logs from every zone — firewalls, switches, servers, endpoints, and CDE-specific collectors. Custom detection rules built for the bank's specific threat model. SOC analysts equipped with playbooks and <5 minute alert-to-escalation SLA on critical events.
802.1X Network Access Control
Aruba ClearPass deployed as RADIUS server. 802.1X certificate-based authentication enforced on every corporate wired port. Device posture checks verify MDM enrolment and CrowdStrike health before VLAN assignment. Non-compliant devices land in a quarantine VLAN with no network access.
Inline IPS on CDE Boundary
Palo Alto Threat Prevention profiles applied inline on all traffic crossing the CDE boundary. Signatures updated automatically via Wildfire. Any traffic that cannot be positively identified as an explicitly permitted flow is blocked, logged, and alerted to the SOC within 60 seconds.
PCI-DSS v4.0 Coverage
Every material requirement — designed, implemented, evidenced
The architecture was designed explicitly against PCI-DSS v4.0 requirements. Each control was implemented, tested, and documented in a format the QSA could assess directly — no last-minute evidence scramble.
Network Security Controls
Zone-based firewall policy rebuilt from deny-all. Every permitted flow documented and justified. ATM, CDE, corporate and core banking isolated to dedicated segments.
Secure Configurations
CIS Level 2 hardening baseline applied to all CDE and DMZ hosts. All default credentials rotated. Unused services, ports, and protocols disabled across all in-scope systems.
Vulnerability Management
Qualys VMDR deployed for continuous scanning. Critical vulnerability remediation SLA: 30 days. Weekly authenticated scans on DMZ and CDE. Annual QSA-led penetration test programme established.
Restrict Access by Need to Know
CyberArk PAM enforces least-privilege on all CDE access. Role-based access control documented and implemented. No standing access — every privileged session is time-limited and individually approved.
Strong Authentication
MFA enforced for all access to CDE, management systems, and privileged accounts. Certificate-based 802.1X on corporate network. CyberArk session recording for all privileged access.
Log & Monitor All Access
Splunk SIEM aggregates logs from all in-scope systems. 90-day hot retention, 12-month cold. Automated alerting on CDE access events, failed authentications, and policy violations.
Test Security Regularly
Quarterly ASV external scans. Annual internal and external penetration test. Bi-annual firewall policy review. SIEM alert quality reviewed monthly. Findings tracked to remediation closure.
Policies & Risk Management
Security policy documentation produced covering all PCI-DSS v4.0 controls. Risk assessment completed. Incident response plan updated to reference SIEM playbooks and SOC escalation paths.
Delivery Phases
Discovery to clean QSA assessment
01 — Discovery & Security Assessment
Reviewed existing network architecture, firewall policies, access controls, and logging capability. Conducted stakeholder interviews with IT, CISO, and compliance teams. Documented the current security posture against the threat model for a regulated UK retail bank — including FCA operational resilience requirements and PCI-DSS v4.0 gap analysis.
02 — PCI-DSS Scoping & CDE Reduction
Completed formal PCI-DSS v4.0 scoping exercise. Mapped all data flows involving cardholder data. Identified systems incorrectly included in CDE scope. Designed a segmentation architecture to isolate the true CDE to minimum scope — removing over 70% of systems from PCI scope without changing any operational function.
03 — Security Architecture Design
Produced full security zone architecture — zone definitions, boundary controls, permitted flow matrix, and segmentation design. Palo Alto App-ID policy framework designed to replace all legacy port-based rules. Firewall rule rebuild planned to enforce deny-all baseline with individually documented exceptions.
04 — Network Re-segmentation
Implemented new security zone architecture across the production network. CDE isolated to dedicated VLAN with inline IPS on all boundary traffic. ATM network separated from corporate routing domain. New internal firewall boundary built between DMZ, core banking, corporate, and management zones. All changes implemented with zero downtime during scheduled maintenance windows.
05 — Firewall Policy Rebuild
Legacy firewall ruleset decommissioned. New App-ID policy framework implemented on Palo Alto pair. Every permitted flow identified, documented, tested, and approved before implementation. Implicit permit rules eliminated. Deny-all baseline enforced across all zones. Panorama deployed for centralised policy management with peer-review workflow for all future changes.
06 — Security Controls Deployment
CyberArk Privilege Cloud deployed and integrated with Active Directory. All standing admin accounts removed. Splunk SIEM deployed with Splunk forwarders on all in-scope systems. CDE boundary IPS profiles activated. Aruba ClearPass 802.1X NAC deployed on corporate network. SOC playbooks built and analyst training delivered.
07 — QSA Assessment Support
Provided technical support throughout the QSA assessment. Produced evidence packages for each PCI-DSS v4.0 requirement — firewall policy documentation, network topology diagrams, access control records, log samples, vulnerability scan results, and penetration test findings with remediation closures. Zero critical findings raised. Assessment passed on first submission.
08 — Documentation & Ongoing Partnership
Delivered complete security documentation package — zone architecture diagrams, firewall policy register, PAM onboarding procedures, SIEM playbooks, incident response runbooks, and the annual security review schedule. Retained as ongoing technical partner for the bank's continuous compliance programme and quarterly security reviews.
The Outcome
PCI-DSS v4.0 compliant. Clean QSA audit. First submission.
The QSA assessment was passed on first submission with zero critical findings. The examiner noted the quality and completeness of the evidence package as exceptional — each requirement was mapped to implemented controls with documented test results and supporting artefacts.
The CDE was reduced from its over-scoped state to the minimum necessary footprint. Firewall policy was rebuilt from deny-all, with every permitted flow documented and App-ID enforced throughout. Implicit permits that had accumulated over years were eliminated. The attack surface for lateral movement from a perimeter breach was fundamentally changed.
CyberArk PAM removed all standing admin access across every zone. No engineer — internal or external — can reach a privileged account without a time-limited, recorded, PAM-brokered session. The CISO now has a complete audit trail of every privileged action taken on any system in the environment.
Splunk SIEM gave the SOC visibility it had never had. Within the first month of operation, three anomalous behaviours were detected that the previous environment would never have surfaced. None were critical incidents — but the capability to detect them, and respond to them, was new.
In their words
"We went into this knowing we had gaps and not entirely sure how bad they were. Frodingham didn't just fix what we knew about — they found things we didn't. The QSA described our evidence package as the most complete they'd seen from an organisation our size. That doesn't happen without the right engineering behind it."
Chief Information Security Officer
UK Regional Bank · Retail & Commercial Banking · England
Facing a security audit or compliance gap in a regulated environment?
We design the architecture, implement the controls, and produce the evidence. You pass the audit.