Specifications include, but are not limited to: 1. Penetration testing from both inside and outside the network. 2. Testing to validate any segmentation and scope-reduction controls. 3. Verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems. 4. Specify remediation. 5. Network-layer penetration tests to include components that support network functions as well as operating systems that are within scope of each segmented PCI cardholder environment ; 5.10). 1. 6.5.7 - Cross-site scripting (XSS) 2. 6.5.8 - Improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions). 3. 6.5.9 - Cross-site request forgery (CSRF) 4. 6.5.10 - Broken authentication and session management o Verify that broken authentication and session management are addressed via coding techniques that commonly include: ▪ Flagging session tokens (for example cookies) as “secure” ; ▪ 1. Confirmation of proper network segmentation ▪ 2. Identification and validation of vulnerabilities of network facing services ▪ 3. Leveraging detected vulnerabilities for lateral movement within sets of identified systems.