Back

Perform penetration testing on segmentation controls, as necessary.


CONTROL ID
12498
CONTROL TYPE
Technical Security
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Perform penetration tests, as necessary., CC ID: 00655

This Control has the following implementation support Control(s):
  • Verify segmentation controls are operational and effective., CC ID: 12545


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Additional requirement for service providers only: If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. (11.3.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. (A3.2.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. (11.3.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does penetration testing to verify segmentation controls meet the following? - Performed at least annually and after any changes to segmentation controls/methods - Covers all segmentation controls/methods in use - Verifies that segmentation methods are operational and effective, and isolate all out-… (11.3.4(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is PCI DSS scope confirmed by performing penetration tests on segmentation controls at least every six months and after any changes to segmentation controls/methods? (11.3.4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine the results from the most recent penetration test to verify that: - Penetration testing is performed to verify segmentation controls at least every six months and after any changes to segmentation controls/methods. - The penetration testing covers all segmentation controls/methods in use. - … (11.3.4.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Verify that the test was performed by a qualified internal resource or qualified external third party and, if applicable, organizational independence of the tester exists (not required to be a QSA or ASV). (11.3.4.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Penetration testing is performed on segmentation controls at least once every six months and after any changes to segmentation controls/methods. (A3.2.4 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • The penetration testing covers all segmentation controls/methods in use. (A3.2.4 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Testing to validate any segmentation and scope-reduction controls. (11.4.1 Bullet 4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • At least once every 12 months and after any changes to segmentation controls/methods (11.4.5 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.5 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • According to the entity's defined penetration testing methodology. (11.4.5 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.5 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.6, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • At least once every six months and after any changes to segmentation controls/methods. (11.4.6 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.6 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • According to the entity's defined penetration testing methodology. (11.4.6 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.6 Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods in accordance with all elements specified in this requirement. (11.4.5.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Testing to validate any segmentation and scope-reduction controls. (11.4.1 Bullet 4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.5, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least once every 12 months and after any changes to segmentation controls/methods (11.4.5 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • According to the entity's defined penetration testing methodology. (11.4.5 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.5 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.5 Bullet 5, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.5, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.5 Bullet 2, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.5 Bullet 5, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least once every 12 months and after any changes to segmentation controls/methods (11.4.5 Bullet 1, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.5, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least once every 12 months and after any changes to segmentation controls/methods (11.4.5 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.5 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.5 Bullet 5, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Testing to validate any segmentation and scope-reduction controls. (11.4.1 Bullet 4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • According to the entity's defined penetration testing methodology. (11.4.5 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.5 Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least once every 12 months and after any changes to segmentation controls/methods (11.4.5 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.5 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.5 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • According to the entity's defined penetration testing methodology. (11.4.5 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least once every 12 months and after any changes to segmentation controls/methods (11.4.5 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.6, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: (11.4.5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • At least once every six months and after any changes to segmentation controls/methods. (11.4.6 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Covering all segmentation controls/methods in use. (11.4.6 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.6 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3). (11.4.5 Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • According to the entity's defined penetration testing methodology. (11.4.6 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Testing to validate any segmentation and scope-reduction controls. (11.4.1 Bullet 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)