Demystifying PCI DSS requirements: Penetration/segmentation testing