PCI DSS v3 Penetration Testing

Author: Martin Voelk
November 30, 2014

PCI DSS v3 now requires Penetration Testing and standard Vulnerability Assessments by automated tools are no longer sufficient.

11.3
Implement a methodology for penetration testing that includes the following:

  • Is based on industry accepted penetration testing approaches (for example NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

11.3.4
If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.

Share
 

Comments are closed.