A3.2.4 If segmentation is used, PCI DSS scope is confirmed as follows:

Defined Approach Requirements

A3.2.4 If segmentation is used, PCI DSS scope is confirmed as follows:

• Per the entity's methodology defined at Requirement 11.4.1.
• Penetration testing is performed on segmentation controls at least once every six months and after any changes to segmentation controls/methods.
• The penetration testing covers all segmentation controls/methods in use.
• The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.

PCI DSS Reference: Requirement 11

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.4 Examine the results from the most recent penetration test to verify that the test was conducted in accordance with all elements specified in this requirement.

Purpose

PCI DSS normally requires segmentation controls to be verified by penetration testing every twelve months.

Validating segmentation controls more frequently is likely to discover failings in segmentation before they can be exploited by an attacker attempting to pivot laterally from an out-of-scope untrusted network to the CDE.

Good Practice

Although the requirement specifies that this scope validation is carried out at least once every six months and after a significant change, this exercise should be performed as frequently as possible to ensure it remains effective at isolating the CDE from other networks.

Further Information

Refer to Information Supplement: Penetration Testing Guidance for additional guidance.