If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months. Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement.
Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment
PCI DSS Resources
For more guidance on 18.104.22.168 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.
Freed Maxick services for PCI DSS Compliance can be found here, but for a more detailed discussion of your organization’s situations and needs, contact usor call me at 716.847.2651.