Istio - PCI in scope environment

Hi, I would like to know if anyone has implemented k8s with Istio within a PCI DSS environment. And if so, did you achieve this with a single k8s cluster or did you implement x2 k8s clusters; one for the DMZ and one for back-end data. My angle is that with istios capabilities, one should be able to implement secure a solution with a single k8s cluster without the need to implementing ‘traditional’ DMZ architecture due to the zero trust capabilities within istio. Happy to hear your views.