Penetration testing is now a PCI DSS requirement.
Maintain PCI DSS compliance and avoid fines.
If your business accepts credit cards as a form of payment, a penetration test is a requirement. The new requirements, codified in PCI DSS v3.2, the latest revision which became effective January 1, 2015, requires that organizations to undergo a pentest at least annually and after any significant changes to infrastructure or applications.
According to PCI DSS v3.2, for the penetration test to be valid, it must be conducted in a specific manner.
11.3 Implement a methodology for penetration testing that includes the following:
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
- Defines network-layer penetration tests to include components that support network functions as well as operating systems
- Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of penetration testing results and remediation activities results.
11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.
Check out the actual PCI DSS penetration testing requirements.
Click the icons to expand.
Conformance’s Cyber Attack Readiness Toolkit meets or exceeds
all of the PCI DSS requirements for penetration testing.