PCI-DSS v3.0 Excel Cheat Sheet

Author: Martin Voelk
March 13, 2015

The new PCI-DSS v3.0 requirements will come into force in summer 2015 and we have already heard from many customer that it causes some of them some concerns.┬áThere is actually nothing to be worried about. It’s a very structural approach and the aim is to make things easier rather than harder.

A few very important changes have been introduced, especially around Penetration Testing and Segmentation Auditing requirements.

Here you can download a PCI-DSS v3.0 excel cheat sheet:



PCI DSS v3 Penetration Testing

Author: Martin Voelk
November 30, 2014

PCI DSS v3 now requires Penetration Testing and standard Vulnerability Assessments by automated tools are no longer sufficient.

Implement a methodology for penetration testing that includes the following:

  • Is based on industry accepted penetration testing approaches (for example NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.