We have a Cloud based, virtual data center that we access and manage using a 2-factor, on-demand VPN to a remote jump-box from anywhere in the world. As a result, our corporate network and admin machines are considered out-of-scope for PCI. Do we still need to do an internal penetration test?
Our experience is that these tests are limited and quick, however they must be done. While it’s true that in this case the in-scope systems could just as easily be administered from a Starbucks, the administrator’s workstation in a Starbucks cannot easily be compromised by exploiting other systems in the coffee shop, whereas in the corporate network the administrator's system is often joined to a domain and can be affected by other systems in the domain. The environment where users routinely access in scope systems will present an attacker with a unique opportunity to steal those credentials or manipulate that traffic. Such an opportunity would not be afforded to an attacker in a Starbucks. The interrelationship of systems inside the corporate network creates a unique set a threat vectors that must be tested.
So for PCI Pen Testing, a corporate network is defined as having a common network connect AND localized common resources such as file shares and authentication mechanisms.