Segmentation Testing and PCI FAQs
As a follow-up to the "What 2018 Means for Your PCI DSS Assessment" article I posted, a client of mine had a great question regarding the future date for the semi-annual segmentation penetration test requirement for service providers. They were curious what the February 1, 2018 date meant specifically for their compliance. For instance, if they previously completed a segmentation penetration test in August 2017, would they be required to perform another test six months later, as the requirement would be applicable on February 1, 2018? Or, would they instead be required to perform a segmentation penetration test six months from the February 1, 2018 date?
I thought through the two options and could see both sides of the coin. I immediately started worrying that this would be one of those grey areas where assessors and assessment firms took different stances, with some taking the harder stance of a test necessary six months from the last annual, and others agreeing that a test should take place six-months from the February 1st date. Luckily, there was no need to worry. Once again, the PCI FAQ site came to the rescue, and it had this to say regarding the new service provider segmentation penetration testing requirement:
In summary, service providers should ensure that:
- A penetration test of their segmentation controls is performed within the 12 months prior to February 1, 2018.
- As of February 1, 2018, they have a process in place to perform penetration tests every six months.
- As of August 1, 2018, at least one six-monthly penetration test has occurred.
- Penetration tests continue to be performed at least once every six months thereafter.
As I use the PCI FAQ site all the time for some gray area topics or just overall sanity checks, I thought this would be a great time to put a spotlight on the site, which is linked here. The site provides a great knowledgebase for questions you may have on PCI topics or scenarios. If you come up with a question that stumps you, this is a great go-to site with answers directly from the PCI SSC.
Among the information on the site, some of the responses refer to contacting the Payment Card Brands and/or Acquiring Banks (Merchant Banks) for the final decision. We must remember that the card brands enforce compliance, and the PCI SSC defers to the brands on matters of enforcement. Also, one card brand response may differ from another in certain matters.
Need to contact a payment brand? No problem--the PCI SSC FAQ site has that information too, check it out here.