Frequently Asked Question
Is MPLS considered a private or public network when transmitting cardholder data?
Whether an MPLS network can be considered a private network is dependent upon the specific provider and configuration of that network. The implementation would need to be evaluated to determine whether the MPLS network provides exposure to the Internet or other untrusted networks, before concluding whether the MPLS network can be considered private. If the MPLS network contains publically-accessible IP addresses or otherwise provides exposure to the Internet (for example, if an edge router has an Internet port), then it may need to be considered an “untrusted” or a public network.
If the MPLS network is determined to be private, transmissions of cardholder data over that network would not need to be encrypted per PCI DSS Requirement 4.1. However, if there are points of exposure to the Internet or it is a shared connection, the MPLS network could be considered as untrusted or public, and Requirement 4.1 would apply.
MPLS networks that have been verified as being private are still in scope for PCI DSS, and, as with all private networks that are in scope, the MPLS network and associated devices would need to meet the applicable PCI DSS requirements.