<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

LIVE WEBINAR: SOC for Software - How SOC for Supply Chain Reduces Software Risk | July 29th

Contact a Specialist
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Learning Center
Learning Center
Articles
Articles
Whitepapers
Whitepapers
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Compliance Reliance
Compliance Reliance
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
KATE DONOFRIO

By: KATE DONOFRIO on August 22nd, 2017

Print/Save as PDF

Segmentation Testing and PCI FAQs

Payment Card Industry (PCI) Data Security | PCI | Pen Testing

As a follow-up to the "What 2018 Means for Your PCI DSS Assessment" article I posted, a client of mine had a great question regarding the future date for the semi-annual segmentation penetration test requirement for service providers.  They were curious what the February 1, 2018 date meant specifically for their compliance. For instance, if they previously completed a segmentation penetration test in August 2017, would they be required to perform another test six months later, as the requirement would be applicable on February 1, 2018?  Or, would they instead be required to perform a segmentation penetration test six months from the February 1, 2018 date?

I thought through the two options and could see both sides of the coin.  I immediately started worrying that this would be one of those grey areas where assessors and assessment firms took different stances, with some taking the harder stance of a test necessary six months from the last annual, and others agreeing that a test should take place six-months from the February 1st date.  Luckily, there was no need to worry.  Once again, the PCI FAQ site came to the rescue, and it had this to say regarding the new service provider segmentation penetration testing requirement:

In summary, service providers should ensure that: 

  • A penetration test of their segmentation controls is performed within the 12 months prior to February 1, 2018. 
  • As of February 1, 2018, they have a process in place to perform penetration tests every six months. 
  • As of August 1, 2018, at least one six-monthly penetration test has occurred. 
  • Penetration tests continue to be performed at least once every six months thereafter.

As I use the PCI FAQ site all the time for some gray area topics or just overall sanity checks, I thought this would be a great time to put a spotlight on the site, which is linked here.  The site provides a great knowledgebase for questions you may have on PCI topics or scenarios.  If you come up with a question that stumps you, this is a great go-to site with answers directly from the PCI SSC. 

Among the information on the site, some of the responses refer to contacting the Payment Card Brands and/or Acquiring Banks (Merchant Banks) for the final decision.  We must remember that the card brands enforce compliance, and the PCI SSC defers to the brands on matters of enforcement. Also, one card brand response may differ from another in certain matters.

Need to contact a payment brand?  No problem--the PCI SSC FAQ site has that information too, check it out here.