Justin Bonk, CISSP, PCI-QSA, CIA, CFE, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months. Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement.
Click to see a short video on PCI DSS 3.2’s Section 11.4.3.1 requirements
Freed Maxick 11.3.4.1 Guidance
Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment
PCI DSS Resources
For more guidance on 11.4.3.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.
Freed Maxick services for PCI DSS Compliance can be found here, but for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.