Frequently Asked Question

PCI DSS Requirement 11.4.6 requires service providers that use segmentation to isolate the cardholder data environment (CDE) from other networks to perform penetration tests on those segmentation controls at least once every six months, and after any changes to the segmentation methods.

This requirement is intended to ensure that segmentation remains effective over time, particularly in complex or frequently changing environments. Service providers must ensure their defined penetration testing methodology includes:

• Testing all segmentation controls/methods in use
• Validating that the CDE is effectively isolated from out-of-scope systems
• Confirming the effectiveness of any use of isolation between systems of differing security levels
• Testing conducted by a qualified internal resource or external third party
• Organizational independence of the tester (QSA or ASV not required)

The interval between segmentation tests must not exceed six months. Service providers should maintain documentation of the tests and the results must be available for review during PCI DSS assessments.