PCI Requirement 11.3.4.1 – Additional Requirement for Service Providers Only: If Segmentation is Used, Confirm PCI DSS Scope by Performing Penetration Testing on Segmentation Controls at Least Every Six Months and After Any Changes 

by Randy Bartels / June 5th, 2018

Segmentation, Scoping, and Penetration Testing

Are you a service provider? Do you use segmentation for the purpose of PCI scope reduction? PCI Requirement 11.3.4.1 outlines new PCI penetration testing requirements and caused confusion among many service providers. PCI Requirement 11.3.4.1 states, “If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”

PCI Requirement 11.3.4.1 requires that a penetration test, which validates the scope and effectiveness of segmentation controls, be performed every six months or after any changes to segmentation controls. The purpose of this additional penetration test is to ensure that segmentation controls continue to operate effectively throughout the year. The continual, complete isolation between CDE and non-CDE systems is key to your PCI compliance.

Our approach to compliance with PCI Requirement 11.3.4.1 involves more than simply validating segmentation controls through port scanning activities. The PCI DSS specifies that penetration testing must be performed, meaning that it is not sufficient to only perform something like nmap scans from non-CDE to CDE networks. Additional effort is required in order to meet this requirement for penetration testing, and our team of penetration testers is ready to help.

There was a new requirement introduced in PCI DSS v3.2, which is PCI Requirement 11.3.4.1. It states that if you are a service provider, you need to validate that your segmentation is in place at least bi-annually, and then after any significant changes to the environment or controls that might affect your segmentation.