Some more clarification was recently provided regarding a new penetration test requirement for Service Providers.
PCI DSS v3.2 does now indeed include an additional requirement for service providers only, effective 1 February 2018:
“If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.”
Now, this is not a minor detail, since the requirement has important ramifications for assessments conducted in 2018.
First off, for any PCI DSS assessments performed for service providers on or after 1 February 2018, all assessed service providers will have to demonstrate that they have a process in place to perform penetration tests every six months. Moreover, for those assessments performed between 1 February and 1 August 2018 where a six-monthly test has not yet occurred, service providers are supposed to have a firm plan in place to perform a penetration test prior to or on 1 August 2018. This is six months after the effective date and the date by which all service providers should have performed at least one six-monthly penetration test.
So, long story short, all service providers will now have to ensure that:
- As of 1 February 2018, a process is in place to perform penetration tests every six months
- As of 1 August 2018, at least one six-monthly penetration test has occurred.
- Penetration tests continue to be performed at least once every six months thereafter.
Judging by the doubling of the effort now being required by the Council around this matter, this really seems to confirm how scoping and segmentation remain one of the most troublesome – or however not properly handled – topics in PCI DSS.
A seemingly good enough reason to also take a look at the recently released (December 2016) “Guidance for PCI DSS Scoping and Network Segmentation” info supplement.
On the topic of guidance documents from the Council, the “Penetration Testing Guidance” info supplement is one that I’ve personally always considered pretty clear, exhaustive and, all in all, well structured around the matter. I recall that I welcomed it very favorably back in March 2015, especially since it was replacing a really not as accurate – or, more frankly, a dismal – previous guidance document around same matter. Nonetheless, it now seems like the guidance document is, for some strange and non-specified reason, causing “confusion” enough to make the Council declare that they are evaluating a potential update in the near future.
Whilst speculating about what could be so confusing about such a document seems a fairly infertile endeavour, once again it is important to keep in mind that, like any other similar information supplement, the “Penetration Testing Guidance” document is mainly intended to provide guidance and help organizations meet the intent of PCI DSS Requirement 11.3 as it applies to an entity’s environment. It may not in any way supersede or extend any PCI DSS requirements.