The Purpose of Network Segmentation Penetration Testing for PCIDSS is to identify and validate effectiveness of network traffic restrictions between defined segments from out-of-scope networks to the in-scope networks that hold sensitive information such as Customer Card Holder Data (CHD) Cardholder Data Environment(CDE) is a network segment that stores, processes and transmits cardholder data.

PCI Network Segmentation

Network segments help in avoiding congestion in the overall network and isolate crucial segments (those that have critical data) from other segments. Every organization follows their own segmentation process and procedures as per their business requirements. Segmentation Penetration Testing is carried out as a requirement of Industry-standard Compliances such as Payment Card Industry Data Security Standards (PCI-DSS).

As per PCI guidelines, Segmentation Penetration Testing is required to be done once every year for merchants and once every six months for merchant service providers.

Methodology

PCI Network Segmentation

Information Gathering

Post scope definition, we enumerate the scoped systems to gain information about the potential vulnerabilities.

PCI Network Segmentation

Vulnerability Analysis and Exploitation

Identify the security risks that could be vulnerable and attempt to exploit to gain access to additional potential assets.

PCI Network Segmentation

Post-Exploitation Assessment

Assess the value of the compromise machine entry point to determine further exploitation.

PCI Network Segmentation

Initial Reporting

Share a detailed risk description of every reported vulnerability along with POC, and criticality depending on the risk and potential business impact.

PCI Network Segmentation

Confirmatory Assessment

System and components are re-tested to validate the applied fix after remediation for the identified observations

PCI Network Segmentation

Final Reporting

Based on the test results of the confirmatory assessment, a Pass/Fail report is issued.

frequently asked questions

The approximate time required for Network Segmentation Penetration Testing Testing is 3 Days and 1 Day for Reporting.

PCI and all applicable industry standard security frameworks are the usual standard documents that are followed for Network Segmentation Penetration Testing.

Network Segmentation Penetration Testing are typically performed using a combination of manual and automated techniques and technologies to identify vulnerabilities on the application installed in the Network Segmentation Penetration (depending on scope and goal of the engagement).

The frequency of Network Segmentation Penetration Testing is determined as per the applicable industry security standards for an organization. It also depends upon the Risk Assessment results. However, as an industry best practice, it is recommended to perform these assessments at least once a year or upon a change in the environment.

Our team will share the pre-requisite documents which mentions all the Testing requirements such as VPN credentials, out-of-scope and in-scope information etc. You will need to fill up these documents as per the applicable assessment and share the filled documents with the team to initiate the tests.

Related Updates




LinkedIn Facebook Twitter Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. Know more Privacy Policy & Cookies Policy.

X