Network segmentation is a common practice to reduce risk by restricting access to secure networks like your cardholder data environment (CDE) from less secure networks like your student wireless. Unless you have implemented PCI-listed P2PE solutions everywhere on campus, removed your network from scope through the use of analog or cellular terminals and outsourced e-commerce, or have the time and resources to secure your entire campus network, most likely you are using some form of segmentation.
PCI DSS v4.0 Requirement 11.4.5 (previously 11.3.4 under version 3.2) states that if segmentation is used to isolate the CDE from other networks, penetration tests must be performed at least once every 12 months and after any changes to segmentation controls/methods are made to confirm the controls are operational and effective.
If we look specifically at merchants by SAQ type, any SAQ A-EP, SAQ B-IP, SAQ C, or SAQ D merchants should have a segmentation test performed annually in order to maintain compliance. For service providers, testing should be performed every six months. It is important to note that with PCI DSS v4.0, segmentation penetration testing is no longer required to validate PCI DSS compliance for SAQ C-VT merchant environments.
A PCI segmentation test is a form of penetration testing used to validate that segmentation controls and methods are operational, effective, and isolate all out-of-scope systems from systems in the CDE. The test verifies that your less secure networks are not able to connect or provide access to your CDE. During this test, the pen testing team confirms that your firewalls, VLAN ACLs, etc. have been configured correctly, and there are no security holes, by actively attempting to identify routes and paths from networks outside of the CDE into the CDE.
Testing is carefully planned to examine each type of segmentation methodology in use by the customer in order to provide complete coverage and ensure the methodology is effective in all instances. The team can also work with your organization to identify all network subsets, including management network segments, workstation network segments, guest wireless network, etc., and then test to ensure they are unable to access the CDE from any of these locations.
The segmentation test effort is usually kicked off with port scanning, moving from each of the out-of-scope network segments to try and reach the CDE perimeter. By doing so you can confirm that no out-of-scope systems have inbound connectivity to the CDE. The point of this testing is to ensure that if an attacker gains control of a non-CDE system or network, they could still not impact the security of the CDE. Too often organizations focus their efforts on testing for vulnerabilities within their secured networks and fail to properly protect these networks. A segmentation test can reveal a misconfigured firewall, access to systems for third-party services incorrectly added, etc.
Segmentation is far less invasive than a full network penetration test. The time to complete the testing just depends on how many out of scope networks segments there are. You can test from a sample of network segments as long as a representative sample is chosen and there is full coverage of the different methods of network segmentation. Testing can be performed by a qualified external third-party provider or by a qualified internal resource if the tester has organizational independence. If you are unsure if your organization is performing the necessary segmentation testing prior to your annual PCI attestation, reach out to us.
Some additional guidance from our RedLens InfoSec Penetration Testing Team below:
[Sullivan]: Reducing your PCI scope by means of segmentation is not only a better way to tackle compliance, but a tenant of good security hygiene for your environment. By segmenting sensitive data from non-sensitive data, you are in a better position to put more stringent controls and monitoring in place. Testing these controls helps to reduce the effects of incidental scope creep and keeps your data secure.