Diff: FAQ #1447
How does PCI DSS Requirement 11.3.4.1 impact timing of penetration tests for service providers?
Earlier Version
Later Version
Removed
Added
PCI DSS Requirement 11.3.4.1 was added11.4.6 requires service providers that use segmentation to PCI DSS v3.2,isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least once every six months, and requires service providersafter any changes to perform penetration testing on segmentation controls at least every six months. Prior to v3.2, service providers were required to test these controls at least annually. This requirement for greater frequency of penetration testing is a best practice until January 31, 2018, after which it becomes a requirement.the segmentation methods.
Thismeans that, as of February 1, 2018, servicerequirement is intended to ensure that segmentation remains effective over time, particularly in complex or frequently changing environments. Service providers must haveensure their defined penetration testing methodology includes:
Testing all segmentation controls/methods in use
Validating that the CDE is effectively isolated from out-of-scope systems
Confirming the effectiveness of any use of isolation between systems of differing security levels
Testing conducted by aprocess in place to perform penetration tests of their segmentation controls at least every six months. It isqualified internal resource or external third party
Organizational independence of the tester (QSA or ASV notrequired that service providers have a penetration test of segmentation controls within the six months prior to February 1st, 2018.required)
Theexact schedule of testing will varyinterval between segmentation tests must not exceed six months. Service providers should maintain documentation of the tests and the results must be available for each service provider; however, all service providers will need to complete a penetration test of their segmentation controls within six months of the requirement becoming effective ? that is, between February 1, 2018 and August 1, 2018. Additionally, service providers will need to ensure that no more than 12 months passes between penetration testsreview during the transition from annual to six-monthly testing.
In summary, service providers should ensure that:
A penetration test of their segmentation controls is performed within the 12 months prior to February 1, 2018.
As of February 1, 2018, they have a process in place to perform penetration tests every six months.
As of August 1, 2018, at least one six-monthly penetration test has occurred.
Penetration tests continue to be performed at least once every six months thereafter.
ForPCI DSS assessments performed on or after February 1, 2018, the assessor will need to verify the above.assessments.
This
Testing all segmentation controls/methods in use
Validating that the CDE is effectively isolated from out-of-scope systems
Confirming the effectiveness of any use of isolation between systems of differing security levels
Testing conducted by a
Organizational independence of the tester (QSA or ASV not
The
In summary, service providers should ensure that:
A penetration test of their segmentation controls is performed within the 12 months prior to February 1, 2018.
As of February 1, 2018, they have a process in place to perform penetration tests every six months.
As of August 1, 2018, at least one six-monthly penetration test has occurred.
Penetration tests continue to be performed at least once every six months thereafter.
For
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.