PCI DSS: Updated Penetration Testing Requirements – Frequently Asked Questions

Is your organization prepared for the upcoming PCI DSS requirement going into effect? To prepare your organization for this change, our team has assembled an FAQ to address any of your potential questions.

Read now: What to Expect from PCI DSS 3.2

What is the new penetration testing requirement?

Requirement requires that organization perform an additional penetration test on segmentation controls every six months. This differs from a standard penetration test, which remains required annually.

This only applies to organizations where segmentation is used. Testing procedure guidance from PCI DSS v3.2 and b indicates that organizations should:

“Examine the results from the most recent penetration test to verify that:

  • Penetration testing is performed to verify segmentation controls at least every six months and after any changes to segmentation controls/methods.
  • The penetration testing covers all segmentation controls/methods in use.
  • The penetration testing verifies that segmentation controls/methods are operating and effective, and isolate all out-of-scope systems from systems in the [cardholder data environment].

Verify that the test was performed by a qualified internal resource or a qualified external third party and, if applicable, organizational independence of the tested exists (not required to be a QSA or ASV).”

Who does this change impact?

This change only impacts service providers.

When does the new standard go into effect?

This new standard is a best practice until January 31, 2018, after which it becomes a requirement.

What is penetration testing on segmentation controls and why does it matter?

A segmentation penetration test only tests the segmentation controls. This is not intended to be a full internal or external penetration test – hence why that remains an annual requirement.

This test is used to confirm that out-of-scope networks are not able to reach in-scope networks and to ensure that the segmentation controls and methods used in the organization remain operational and effective.

What does this mean for my previous or upcoming PCI DSS assessment?

Organizations seeking PCI compliance must have performed the additional penetration test on segmentation controls prior to their report on compliance (ROC) date.

What is the purpose of this change?

This change ensures that organization’s segmented environment remains isolated from out-of-scope networks on a more regular basis. Ideally, this would be done as frequently as possible to ensure that the scope remains up-to-date and aligned with changing business objectives.

My organization currently performs regular segmentation penetration testing internally. Can we still do that, or is an external test required?

Organizations can perform this test by themselves by utilizing an internal resource if you can prove that your segmentation testing methodology is sound and that the resource is independent of the network administration team. If you are unable to prove that, then a third-party would be needed to complete the testing.

Have additional questions about PCI DSS, scoping, segmentation and more? Contact one of A-LIGN’s QSA’s today!