PCI DSS v3.2 and the Penetration Testing Requirements for Merchants
In April 2016, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 3.2. With the updates came clarification to requirements, additional guidance, and the additional seven new requirements. Each of the new requirements was initially treated as a best practice but have a quickly approaching effective date of February 1, 2018, when all new requirements will be expected to be in place.
To address issues related to cardholder data breaches and protect against existing exploits, PCI DSS v.3.2 includes various changes, most of which are specific to Service Providers. This includes new penetration testing requirements that now requires segmentation testing for Service Providers to now be performed at least every six months or after any significant changes to segmentation controls/methods. In addition to this, there are several requirements to ensure that Service Providers are continuously monitoring and maintaining critical security controls throughout the year.
PCI DSS Requirement 11.3.4, requires all organizations to perform segmentation testing at least annually if segmentation controls are utilized to isolate the cardholder data environment (CDE) from other network segments. The intent of this requirement is to verify that the segmentation controls/methods function effectively and as expected. Additionally, PCI DSS Requirement 220.127.116.11 was added to PCI DSS v3.2 as a new requirement, mandating Service Providers to now perform segmentation testing to test all applicable segmentation controls utilized to segment the CDE at least every 6 months, as opposed to annually. It's important to note that this new requirement applies only to Segmentation Testing and that Application and Network Layer Penetration Tests are still required at least annually or after any significant infrastructure or application change.
Scope & Frequency
The scope of each segmentation test will depend on the organization's network and segmentation controls that are utilized to isolate the CDE form other networks. The standard penetration test should include both internal and external testing of all networks, applications, or systems directly connected to the CDE. Segmentation testing of the segmentation controls/methods in use will be performed from out-of-scope network perspectives that should not have any connectivity to the CDE. This testing will typically use tools such as NMAP to test all ports/services and will not necessarily be required to test from every out-of-scope network. The intent of this requirement is to perform sufficient testing to validate that the segmentation controls are functioning properly. In large environments, a risk-based approach could be used to identify appropriate testing perspectives for each segmentation control utilized. Organizations should consult with their QSA/ISA, network team, and penetration tester to confirm that their analysis of the segmentation controls provides adequate assurance that all controls in-place are functioning properly.
Requirements According to PCI Assessment Date
As of February 1, 2018, service providers will be required to conduct an annual penetration test and a semi-annual segmentation test. The PCI SSC has provided the following clarification and guidance for Service Providers being assessed during 2018 for this new requirement:
- A penetration test of segmentation controls must be performed within the 12 months prior to February 1, 2018.
- As of February 1, 2018, policy and processes must be in place to perform segmentation tests every six months.
- As of August 1, 2018, at least one semi-annual segmentation test must have occurred.
- Segmentation tests must continue to be performed at least once every six months thereafter.
Preparing for PCI Compliance
With the February effective date quickly approaching, service providers will need to analyze their PCI DSS compliance program, and ensure that the requirements stated above have been performed or are being planned. Recent guidance from the PCI SSC has stated that if a service provider has policies and procedures in place by February 1, 2018, and validation can be shown that the organization is following those policies and procedures, and have conducted a penetration or segmentation test within the last 6 months, then it will be considered as compliant under the new standard.
Service providers who have planned an assessment in late 2018 will need to plan now to ensure they will have testing performed within the first 6 months following the February effective date of the new requirements.
Service providers should begin preparing by:
- Checking their compliance status and validation date.
- Identifying and calculating the required tests needed based on date and when the new requirement went into effect (February 1, 2018).
- Determining the segmentation controls being utilized and defining the scope for testing of these controls.
It is important to recognize that complying with the PCI DSS v3.2 standard will vary for every organization. Therefore, service providers should review how the new requirements will affect their organization and determine a plan of action to remain compliant.