As a follow-up to the "What 2018 Means for Your PCI DSS Assessment" article I posted, a client of mine had a great question regarding the future date for the semi-annual segmentation penetration test requirement for service providers. They were curious what the February 1, 2018 date meant specifically for their compliance. For instance, if they previously completed a segmentation penetration test in August 2017, would they be required to perform another test six months later, as the requirement would be applicable on February 1, 2018? Or, would they instead be required to perform a segmentation penetration test six months from the February 1, 2018 date?
I thought through the two options and could see both sides of the coin. I immediately started worrying that this would be one of those grey areas where assessors and assessment firms took different stances, with some taking the harder stance of a test necessary six months from the last annual, and others agreeing that a test should take place six-months from the February 1st date. Luckily, there was no need to worry. Once again, the PCI FAQ site came to the rescue, and it had this to say regarding the new service provider segmentation penetration testing requirement:
In summary, service providers should ensure that:
- A penetration test of their segmentation controls is performed within the 12 months prior to February 1, 2018.
- As of February 1, 2018, they have a process in place to perform penetration tests every six months.
- As of August 1, 2018, at least one six-monthly penetration test has occurred.
- Penetration tests continue to be performed at least once every six months thereafter.
As I use the PCI FAQ site all the time for some gray area topics or just overall sanity checks, I thought this would be a great time to put a spotlight on the site, which is linked here. The site provides a great knowledgebase for questions you may have on PCI topics or scenarios. If you come up with a question that stumps you, this is a great go-to site with answers directly from the PCI SSC.
Among the information on the site, some of the responses refer to contacting the Payment Card Brands and/or Acquiring Banks (Merchant Banks) for the final decision. We must remember that the card brands enforce compliance, and the PCI SSC defers to the brands on matters of enforcement. Also, one card brand response may differ from another in certain matters.
Need to contact a payment brand? No problem--the PCI SSC FAQ site has that information too, check it out here.
About the Author
Kate Donofrio is a Senior Associate with Schellman. Prior to joining Schellman in 2016, Ms. Donofrio has worked as a Senior Security Assessor specializing in PCI DSS compliance audits and information security consulting engagements. Ms. Donofrio also led and supported various other projects, including HIPAA, social engineering exercises, information security training, and technical risk assessments which included vulnerability scanning and penetration testing. She has nearly 15 years combined experience within the information technology and information security fields, comprised of serving clients in various industries, including call centers, financial institutions, healthcare, hospitality, and e-commerce. Further, she has experience with performing both systems and network engineering. Ms. Donofrio is now mainly dedicated to performing PCI DSS assessments.More Content by Kate Donofrio