GRCWatch
Sign inStart free trial

PCI DSS 11.4.6: Semi-Annual Penetration Testing for Network Segmentation

Service providers using network segmentation must validate its effectiveness through rigorous testing. PCI DSS 11.4.6 requires penetration tests at least every six months to ensure segmentation controls continue protecting cardholder data environments. This control is essential for service providers who rely on segmentation to maintain PCI compliance.

What this means

If your organization uses network segmentation as a control mechanism, you must conduct penetration tests to verify that segmentation boundaries remain effective and cannot be bypassed. These tests must occur at minimum twice per year. The requirement applies specifically to service providers and ensures that segmentation—whether physical or logical—actually prevents unauthorized movement between networks and protects the cardholder data environment (CDE) from less-secure network segments.

How to comply

  1. 1.Document all segmentation points and boundaries within your network architecture
  2. 2.Establish a penetration testing schedule with tests occurring at least every six months
  3. 3.Engage qualified internal security staff or third-party testers to conduct segmentation-focused penetration tests
  4. 4.Ensure tests specifically attempt to bypass segmentation controls and move between network segments
  5. 5.Document test scope, methodology, date, and results in a formal report
  6. 6.Remediate any identified segmentation weaknesses within defined timeframes
  7. 7.Maintain evidence of all testing activities and remediation actions for audits

Evidence auditors look for

  • Penetration test reports dated and executed within the six-month interval
  • Network segmentation diagrams with documented test boundaries
  • Documented test methodology confirming segmentation bypass attempts
  • Remediation records addressing any segmentation control failures identified during testing
  • Penetration testing contract or statement of work from qualified testers
  • Internal approval and sign-off on segmentation test results

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates penetration test scheduling, tracks segmentation testing intervals, and maintains audit-ready evidence documentation—eliminating manual tracking and ensuring your semi-annual testing deadlines never slip.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 11.3 — Penetration Testing RequirementsPCI DSS 11.2 — Quarterly Security ScansPCI DSS 1.2 — Network Segmentation RequirementsPCI DSS 1.1 — Firewall Configuration Standards