PCI DSS 3.2 Req - Views on Semi-annual Penetration Testing

Back to main Blog

Senior Manager, Freed Maxick Risk Advisory Services

If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months.  Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement. 

Click to see a short video on PCI DSS 3.2’s Section requirements 

PCI DSS 3.2 Req.


Freed Maxick Guidance   

Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment


PCI DSS Resources 

For more guidance on compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here, but for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.

Stay up to date