In version 3.2 of the PCI DSS, new requirements for penetration testing and network segmentation were introduced. Requirement 11.3.4 states that if segmentation is used to isolate the CDE from other networks, penetration tests must be performed at least annually and after any changes to segmentation controls/methods are made. This requirement was added into additional merchant SAQs for merchants last year, and 188.8.131.52 was updated to require service providers using segmentation to perform penetration tests on their segmentation controls every six months rather than annually.
As you know, network segmentation isn’t required by the PCI DSS, but is a common practice to reduce risk by restricting access to secure networks like your cardholder data environment (CDE) from less secure networks like your student wireless. Unless you have implemented PCI-listed P2PE solutions everywhere on campus, removed your network from scope through the use of analog terminals and outsourced e-commerce, or have the time and resources to secure your entire campus network, most likely you are using some form of segmentation.
If we look specifically at your merchants by SAQ type, any SAQ B-IP, SAQ C, or SAQ C-VT merchants should have a segmentation test performed annually in order to maintain compliance.
A segmentation test is a form of penetration testing used to validate that segmentation controls and methods are operational, effective, and isolate all out-of-scope systems from systems in the CDE. The test verifies that your less secure networks are not able to connect or provide access to your CDE. During this test, the pen testing team confirms that your firewalls, VLAN ACLs, etc. have been configured correctly, and there are no security holes, by actively attempting to identify routes and paths from networks outside of the CDE into the CDE. Testing is carefully planned to examine each type of segmentation methodology in use by the customer in order to provide complete coverage and ensure the methodology is effective in all instances. The pen testing team will work with your organization to identify all network subsets, including management network segments, workstation network segments, guest wireless network, etc., and then test to ensure they are unable to access the CDE from any of these locations.
Too often organizations focus their efforts on testing for vulnerabilities within their secured networks and fail to properly protect these networks. A segmentation test can reveal a misconfigured firewall, access to systems for third-party services incorrectly added, etc. Remember the infamous Target breach in which hackers were able to gain access to Target’s payment card information through the HVAC vendor’s access?
Segmentation is far less invasive than a full network penetration test. And testing can be performed by a qualified external third-party provider or by a qualified internal resource as long as the tester has organizational independence. If you are unsure if your organization is performing the necessary segmentation testing for your merchants, you may want to confirm this with your CampusGuard Support Team.
Some additional guidance from our Penetration Testing Team below:
[Sullivan]: Reducing your PCI scope by means of segmentation is not only a better way to tackle compliance, but a tenant of good security hygiene for your environment. By segmenting sensitive data from non-sensitive data, you are in a better position to put more stringent controls and monitoring in place. Testing these controls helps to reduce the effects of incidental scope creep and keeps your data secure.