Reinforce Your PCI DSS Readiness

Uphold requirement 11.4.6 with testing documentation.

Overview

Effective network segmentation plays a critical role in managing the scope of PCI DSS compliance. For service providers, where multiple environments and interconnected systems may coexist, this isolation requires a clear understanding and is not a one-time task but an ongoing necessity.

Requirement 11.4.6 of PCI DSS v4.0 introduces a specific obligation: service providers using segmentation to isolate their Cardholder Data Environment (CDE) must validate the effectiveness of those controls through penetration testing at least once every six months or immediately following any changes to segmentation controls/methods.

Why Segmentation Testing Matters?

Segmentation (also referred to as “network segmentation” or “isolation”) defines the logical separation between the CDE and non-CDE systems. Its purpose is to reduce risk exposure and narrow the scope of assessment. However, network environments are not static. Updates to firewalls, changes in routes, or newly introduced systems can inadvertently expose sensitive areas if segmentation rules are misconfigured or bypassed.

Periodic testing under Requirement 11.4.6 acts as a verification layer. It assures that segmentation measures remain intact and that the CDE is not accessible from out-of-scope networks or untrusted zones.

What does PCI DSS Requirement 11.4.6 specify?

Requirement 11.4.6 outlines the minimum expectations for segmentation testing among service providers. It stipulates the following:

Frequency: Penetration testing of segmentation must be performed at least once every six months. This regular cadence ensures ongoing effectiveness and aligns with the dynamic nature of IT infrastructure changes.
Post-change validation: Any changes to segmentation methods, such as new VLAN configurations, firewall rules, or routing adjustments, necessitate immediate re-testing to confirm that the CDE remains properly isolated.
Full control coverage: The assessment must examine all segmentation methods in use, regardless of their technical nature.
Scope of validation: The testing must confirm that segmentation effectively prevents communication between the CDE and out-of-scope environments. Systems with different trust levels should remain distinctly segregated, and any allowance for interaction must be explicitly authorised and controlled.
Independence of testing function: While the requirement does not mandate a QSA or Approved Scanning Vendor (ASV) to conduct the testing, it does require that the testers be qualified and organisationally independent from those responsible for implementing the segmentation.

Common Risks of Insufficient Segmentation Validation

Failing to validate segmentation controls can expose service providers to significant compliance gaps. Some of the most frequent issues observed in this area include:

Assuming controls remain effective after changes: Without formal testing, minor configuration updates may unintentionally introduce routing paths or firewall exceptions that compromise segmentation.
Incomplete test scope: Overlooking less-visible or legacy network segments during validation can lead to false assumptions about security.
Lack of documentation: Even where testing is performed, insufficient records of testing scope, methodology, and outcomes can lead to findings during PCI DSS assessments.

Documenting and Demonstrating Compliance

As with all elements of PCI DSS, maintaining verifiable evidence is essential. Service providers are expected to retain detailed records of the test methodologies and tools employed, the specific segmentation controls evaluated, the results obtained, along with any identified findings, and any remediation actions undertaken where applicable. These records not only demonstrate a proactive approach to compliance but also support the overall integrity of the security testing process.

During formal assessments, this documentation must be readily available for review to confirm compliance with Requirement 11.4.6. Establishing a consistent testing schedule, particularly one that is synchronised with infrastructure change management procedures, can greatly assist in meeting this requirement efficiently. This approach not only strengthens accountability but also reinforces the effectiveness and continuity of segmentation testing within the broader PCI DSS framework.

Do you know?

PCI DSS v4.0.1 Vulnerability Rules

The Broader Compliance Context

Segmentation testing is not an isolated activity; it supports other areas of PCI DSS by reinforcing control boundaries. It contributes to maintaining accurate scoping, reduces exposure in the event of compromise, and ensures that protective measures apply only where required, improving efficiency without compromising security.

Service providers handling payment card data within complex or shared environments must give particular attention to segmentation validation. By routinely testing and documenting their segmentation controls, they strengthen their overall compliance posture and uphold trust with their customers and partners.

FAQs – Frequently Asked Questions

What does PCI DSS Requirement 11.4.6 mandate for service providers using network segmentation?

PCI DSS Requirement 11.4.6 requires service providers that segment their Cardholder Data Environment (CDE) to conduct penetration testing of those segmentation controls at least once every six months, and after any change to the segmentation methods. This testing ensures that the CDE remains properly isolated from out-of-scope systems.

Who can perform segmentation penetration testing under Requirement 11.4.6?

Testing must be conducted by a qualified internal resource or an external party with appropriate skills and independence. The individual or team must not be involved in implementing the segmentation controls, ensuring objectivity in the validation process.

What should be included in segmentation testing?

All active segmentation controls such as firewalls, VLANs, and access lists must be tested. The aim is to confirm that no unauthorised pathways exist into the CDE from out-of-scope systems, and that isolation mechanisms function as intended across different security domains.

Why is six-monthly segmentation testing important for service providers?

Environments often change due to system upgrades, network modifications, or integrations. Service providers typically have larger and more complex networks that are subject to more frequent changes. Thus, the probability of segmentation controls failing is greater in service-provider environments. Regular six-monthly testing helps detect unintended access routes, ensures continued compliance, and maintains confidence in the effectiveness of segmentation strategies.

How does Risk Associates assess testing requirements?

Risk Associates assesses whether a service provider has implemented and maintained appropriate documentation and evidence of penetration testing as defined under PCI DSS Requirement 11.4.6. This includes reviewing testing frequency, methodology, results, and tester independence without providing implementation or advisory services.

ISO/IEC Standards

PCI Security Standards Council - Standards

Certifying what your sector demands

PCI Security Standards Council - Standards

ISO/IEC Standards

Independent Validation for Regulated Industries

Certifying what your sector demands

Maintaining PCI DSS Segmentation Assurance: Understanding Requirement 11.4.6 for Service Providers

Reinforce Your PCI DSS Readiness

Table of Content

Overview

Why Segmentation Testing Matters?

What does PCI DSS Requirement 11.4.6 specify?

Common Risks of Insufficient Segmentation Validation

Documenting and Demonstrating Compliance

The Broader Compliance Context

FAQs – Frequently Asked Questions

Home

About Us

Partners

RA-Academy

Careers

Contact Us

Compliances

PCI Compliance

ISO/IEC Services

Managed Security Services

Data Protection

Security Testing

Cybersecurity Solutions

Table of Content

MSSP