Are your AWS resources segmented from your CDE? The fewer systems involved in your payment flow, the better. You can verify that your segmentation controls are working properly through penetration testing. PCI Requirement 11.3.4 requires that, if segmentation is used to isolate the CDE, penetration tests are performed at least annually and after any changes to verify that your segmentation methods are operational and effective, as well as verify no connectivity between in-scope and out-of-scope resources. For service providers, the frequency of testing increases to every six months. 

AWS customers can carry out security assessments and penetration testing against their AWS infrastructure without prior approval for eight services. For more information, learn about vulnerability assessment and management in AWS Marketplace and the AWS Customer Support Policy for Penetration Testing. 

PCI Requirement 11.3.4 deals with segmentation controls. You really have to spend a lot of time evaluating if you are actually properly segmenting your cardholder data environment away from other system resources within your AWS environment. A lot of times, people will show us security groups and explain that they’re using Security Groups to segment this from that. However, within the policy, it is allowed for this port to have access to the CDE, and that is not segmentation if traffic is allowed between those two areas. Sometimes people will say that they have multi-factor authentication within IAM roles, but that is not, by itself, segmentation to your CDE. You’re allowing that traffic to pass. Even though you’ve implemented MFA, MFA by itself is not a segmentation control. You have to disallow traffic to occur from this system to your CDE. Those controls that you put into place, which are typically firewalls that block that access or other ACLs that could potentially block that access, are very critical to protecting your CDE, if you’ve implemented them. 

Within your pen testing requirement in PCI Requirement 11.3.4, you have to ensure that your pen tester is testing those segmentation controls. Are they implemented properly? Are they operating effectively? That’s what the results of the segmentation test should show. If you are a service provider within the PCI ecosystem – if you are providing services to another entity that is striving to be PCI compliant or if you are a PCI-compliant service provider who has payment processing or managed services or hosting and you are providing those services to other entities who are relying upon your PCI compliance – you have to perform that segmentation testing twice a year. One of the reasons that this requirement went into place a couple of years ago is because many of the data breaches that have occurred happened because a control was operating effectively, but at some point throughout the year, something changed. A data breach occurred because the segmentation control wasn’t effective. So, testing it semi-annually is very critical for complying with PCI Requirement 11.3.4.