If segmentation isolates the CDE, penetration tests must be performed at least annually and after changes to segmentation controls to verify segmentation methods are operational and isolate out-of-scope systems.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the PCI Data Security Standard Exam. Master your knowledge with interactive flashcards and multiple-choice questions, each with hints and explanations. Prepare confidently for your certification test!

Multiple Choice

If segmentation isolates the CDE, penetration tests must be performed at least annually and after changes to segmentation controls to verify segmentation methods are operational and isolate out-of-scope systems.

Explanation:
Segmentation controls are used to limit the cardholder data environment and keep systems outside that environment from being affected. To trust that segmentation continues to work, you must verify it through hands-on testing. The required approach is to perform penetration testing of the segmentation controls at least once a year and again whenever you make changes to those controls. This ensures two things: you have a routine check that the isolation remains effective, and you catch any new misconfigurations or gaps introduced by changes before they can expose out-of-scope systems or expose the CDE. So the best choice reflects that both timing points are necessary: the annual test and a test after any changes to segmentation controls. The other options don’t fit because they miss either the regular cadence or the post-change validation, or imply no testing is needed at all.

Segmentation controls are used to limit the cardholder data environment and keep systems outside that environment from being affected. To trust that segmentation continues to work, you must verify it through hands-on testing. The required approach is to perform penetration testing of the segmentation controls at least once a year and again whenever you make changes to those controls. This ensures two things: you have a routine check that the isolation remains effective, and you catch any new misconfigurations or gaps introduced by changes before they can expose out-of-scope systems or expose the CDE.

So the best choice reflects that both timing points are necessary: the annual test and a test after any changes to segmentation controls. The other options don’t fit because they miss either the regular cadence or the post-change validation, or imply no testing is needed at all.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy