If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months.  Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement. 

Click to see a short video on PCI DSS 3.2’s Section 11.4.3.1 requirements 

PCI DSS 3.2 Req. 11.3.4.1

 

Freed Maxick 11.3.4.1 Guidance   

Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment

 

PCI DSS Resources 

For more guidance on 11.4.3.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here, but for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.