Diff: FAQ #1447
How does PCI DSS Requirement 11.3.4.1 impact timing of penetration tests for service providers?
Earlier Version
2017-04-11 00:00:00 UTC
2017-04-11 00:00:00 UTC
Later Version
2025-06-11 14:59:19 UTC
2025-06-11 14:59:19 UTC
Removed
Added
PCI DSS Requirement 11.3.4.1 6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other netwas added to PCI DSS v3.2orks to perform penetration tests on those segmentation controls at least once every six months, and requires service providers to perform penetration testing on segmentation controls at least every six months. Prior to v3.2, service providers were required to test these controls at least annually. This requirement for greater frequency of penetration testing is a best practice until January 31, 2018, after which it becomes a requirementafter any changes to the segmentation methods.
Thismeans thatrequirement is intended to ensure that segmentation remains effective over time, as of Feparticularly in complex or frequently changing environments. Service providers must ensure their defined penetration testing methodology includes:
Testing all segmentation controls/methods in use
Validating that the CDE is effectively isolated from out-of-scope systems
Confirming the effectiveness of any use of isolation bruary 1, 2018, serviceetween systems of differing security levels
Testing conducted by a qualified internal resource or external third providers must have a arty
Organizational indeprocess in place to perform penetration tests of their segmentation controls at least every six months. It isendence of the tester (QSA or ASV not required that service providers have a penetration test of segmentation controls within the six months prior to February 1st, 2018.)
The interval between segmentation tests must not exact schedule of testing ceed six months. Service providers should maintain documentation of the tests and the results must be available for reviewill vary for each service provider; however, all service providers will need to complete a penetration test of their segmentation controls within six months of the requirement becoming effective ? that is, between February 1, 2018 and August 1, 2018. Additionally, service providers will need to ensure that no more than 12 months passes between penetration tests during the transition from annual to six-monthly testing.
In summary, service providers should ensure that:
A penetration test of their segmentation controls is performed within the 12 months prior to February 1, 2018.
As of February 1, 2018, they have a process in place to perform penetration tests every six months.
As of August 1, 2018, at least one six-monthly penetration test has occurred.
Penetration tests continue to be performed at least once every six months thereafter.
For during PCI DSS assessments performed on or after February 1, 2018, the assessor will need to verify the above.
This
Testing all segmentation controls/methods in use
Validating that the CDE is effectively isolated from out-of-scope systems
Confirming the effectiveness of any use of isolation b
Testing conducted by a qualified internal resource or external third p
Organizational indep
The interval between segmentation tests must not ex
In summary, service providers should ensure that:
A penetration test of their segmentation controls is performed within the 12 months prior to February 1, 2018.
As of February 1, 2018, they have a process in place to perform penetration tests every six months.
As of August 1, 2018, at least one six-monthly penetration test has occurred.
Penetration tests continue to be performed at least once every six months thereafter.
For