PCI Requirement 11.3.4.1 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes 

by Randy Bartels / December 16, 2022

 Segmentation, Scoping, and Penetration Testing Are you a service provider? Do you use segmentation for the purpose of PCI scope reduction? PCI Requirement 11.3.4.1 outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.” PCI…

PCI Requirement 11.3.4 – If Segmentation is Used to Isolate the CDE from Other Networks, Perform Penetration Tests at Least Annually and After Any Changes to Segmentation to Ensure Methods are Operational and Effective 

by Randy Bartels / December 16, 2022

 Segmentation and Penetration Testing Does your organization use segmentation to isolate your cardholder data environment from other networks? Penetration testing can be a tool to ensure that your segmentation controls are working. PCI Requirement 11.3.4 addresses this methodology. It states, “If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that…

PCI Requirement 11.3.3 – Exploitable Vulnerabilities Found During Penetration Testing are Corrected and Testing is Repeated

by Randy Bartels / December 16, 2022

 What To Do with Exploitable Vulnerabilities The purpose of penetration testing is to find vulnerabilities before an attacker does; when you find them, those vulnerabilities need to be corrected. PCI Requirement 11.3.3 states, “Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.” During an assessment, you will provide your assessor with penetration testing results that verify that you found and implemented a…

PCI Requirement 11.3.2 – Perform Internal Penetration Testing at Least Annually

by Randy Bartels / December 16, 2022

 Internal Penetration Testing PCI Requirement 11.3.2 requires that organizations perform internal penetration testing at least annually and after any significant upgrade or modification. Internal penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data. When determining what constitutes…

PCI Requirement 11.3.1 – Perform External Penetration Testing at Least Annually

by Randy Bartels / December 16, 2022

 External Penetration Tests PCI Requirement 11.3.1 requires that organizations perform external penetration testing at least annually and after any significant upgrade or modification. External penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data. When determining what constitutes…