Skip to main content

πŸ’Ό 11.4.6 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Description​

Additional requirement for service providers only.

As follows:

  • At least once every six months and after any changes to segmentation controls/methods.
  • Covering all segmentation controls/methods in use.
  • According to the entity's defined penetration testing methodology.
  • Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
  • Performed by a qualified internal resource or qualified external third party.
  • Organizational independence of the tester exists (not required to be a QSA or ASV).

Similar​

  • Sections
    • /frameworks/pci-dss-v3.2.1/11/03/04/01
    • /frameworks/pci-dss-v4.0.1/11/04/06

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.4.6 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.4.6 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags