GRCWatch
Sign inStart free trial

PCI DSS 11.4.5: Testing Segmentation Controls Every 12 Months

If you're using network segmentation to isolate your cardholder data environment (CDE), PCI DSS 11.4.5 requires annual penetration testing to verify those controls are working. This control ensures your segmentation strategy actually prevents unauthorized access to sensitive payment data.

What this means

Control 11.4.5 mandates that organizations performing network segmentation for CDE isolation must conduct penetration tests at least once per calendar year. These tests validate that segmentation boundaries are effective and that attackers cannot bypass controls to reach cardholder data. The control applies specifically when segmentation is your chosen method for isolating the CDE from the rest of your network.

How to comply

  1. 1.Document your segmentation architecture and identify all CDE boundaries requiring testing
  2. 2.Schedule annual penetration tests with qualified security testers or internal penetration testing teams
  3. 3.Design tests to specifically target segmentation controls and boundary enforcement mechanisms
  4. 4.Execute penetration tests attempting to move laterally from non-CDE to CDE networks
  5. 5.Document all test results, findings, and any compensating controls implemented
  6. 6.Remediate identified vulnerabilities and re-test to confirm segmentation effectiveness
  7. 7.Maintain evidence of testing completion with dates, scope, and tester qualifications

Evidence auditors look for

  • Penetration testing reports dated within the past 12 months with CDE segmentation scope
  • Test scope documentation showing which segmentation boundaries were evaluated
  • Evidence of lateral movement testing attempts across network segments
  • Remediation records for vulnerabilities discovered during segmentation testing
  • Tester qualifications or certifications (OSCP, CEH, GPEN, or equivalent)
  • Risk acceptance documentation for any findings left unresolved
  • Calendar or project management records showing scheduled annual testing dates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates segmentation test scheduling, maintains penetration testing records with automated evidence collection, and tracks annual test compliance status in your PCI DSS dashboard.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 11.3 (Penetration Testing)PCI DSS 11.4.1 (Network Segmentation Documentation)PCI DSS 11.4.4 (Segmentation Validation)