Segmentation penetration testing for PCI compliance

Introduction – an overview of Network Segmentation

Network segments are now a part of any organization or business’s infrastructure. Network segmentation is the splitting of a computer network within the infrastructure according to business requirements.

Segmentation of a network serves many purposes. It helps in avoiding congestion in the overall network and isolates crucial segments (those that have critical data) from other segments. Every organization follows their own segmentation process and procedures depending upon their business requirements.

For example, a big organization whose business involves any kind of payment may store cardholder data (CD) in one segment and other databases in different segments. A Cardholder Data Environment (CDE) is a network segment that stores, processes and transmits cardholder data. Generally, a Cardholder Data Environment is also known as PCI (Payment Card Industry) in-scope and other remaining segments are known as PCI out-of-scope. Banks mainly have infrastructure which holds such segments.

Cardholder data includes cardholder name, card number, expiration date or service code and CVV. It should never be compromised and exposed.

The cardholder data environment (CDE) should always be secure and should have limited access from/to other segments in accordance with Payment Card Industry Data Security Standards (PCI-DSS) requirements (Req. no 11.3.4). It should only be accessible from an internal network and never be exposed externally by any means; there should not be any unauthorized link and connection between PCI in-scope and PCI out-of-scope, and limited access in every sense to and from the PCI in-scope.

In order to secure PCI in-scope (CDE), segmentation penetration testing came into practice. Businesses which hold cardholder data and require PCI-DSS compliance should get segmentation penetration testing done. Segmentation penetration testing needs to be done once every year for merchants and once every six months for merchant service providers, as per PCI.

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Shubham Vashist. Read the original post at:

Shubham Vashist

Shubham Vashist, from India, is an enthusiastic Information Security Researcher & Web application Security Tester. Having earned a Computer Science and Engineering degree, he has gained experience by learning, practicing and reporting bugs to application vendors. His passion is to secure the applications from attackers and make them reliable.

shubham-vashist has 4 posts and counting.See all posts by shubham-vashist