PCI Requirement 11.3.4 – If Segmentation is Used to Isolate the CDE from Other Networks, Perform Penetration Tests at Least Annually and After Any Changes to Segmentation to Ensure Methods are Operational and Effective 

by Randy Bartels / June 5th, 2018

Segmentation and Penetration Testing

Does your organization use segmentation to isolate your cardholder data environment from other networks? Penetration testing can be a tool to ensure that your segmentation controls are working. PCI Requirement 11.3.4 addresses this methodology. It states, “If segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the cardholder data environment.”

The PCI Requirement 11.3.4 guidance explains, “The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the cardholder data environment, to confirm that they are not able to get through the segmentation controls to access the cardholder data environment.”

If your organization is using segmentation as a control or as a means to reduce the scope of your environment, their penetration test needs to include validation that the penetration testing took place to validate that whatever segmentation controls you have are effective and in place. For this test, we are looking for something within the documentation from the penetration test report that says that segmentation was tested and validated.