Skip to main content

💼 11.4.6 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Description​

Additional requirement for service providers only.

As follows:

  • At least once every six months and after any changes to segmentation controls/methods.
  • Covering all segmentation controls/methods in use.
  • According to the entity's defined penetration testing methodology.
  • Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
  • Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
  • Performed by a qualified internal resource or qualified external third party.
  • Organizational independence of the tester exists (not required to be a QSA or ASV).

Similar​

  • Sections
    • /frameworks/pci-dss-v3.2.1/11/03/04/01
    • /frameworks/pci-dss-v4.0.1/11/04/06
  • Internal
    • ID: dec-c-23422505

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
💼 PCI DSS v3.2.1 → 💼 11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
💼 PCI DSS v4.0.1 → 💼 11.4.6 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
💼 PCI DSS v3.2.1 → 💼 11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
💼 PCI DSS v4.0.1 → 💼 11.4.6 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls.

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags