BLOG HOME > Auditor Tips > Auditor Tips: Requirement 11: Testing Security

Auditor Tips: Requirement 11: Testing Security

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.

Get Started with PCI Compliance

Start Here

If your organization is required to be PCI compliant, don’t procrastinate beginning the penetration test process. Finding and engaging a good penetration testing partner can take more time than you realize.

In performing PCI assessments, it is common to see an organization’s penetration testing process, from start to finish, taking as long as everything else involved in the assessment combined. If you wait until your QSA is onsite, or until your SAQ is due, to discuss penetration test scope, methodology, and objectives, you may be unable to meet your PCI compliance deadlines. Start thinking about penetration testing months before your PCI deadlines.

Remember, the required annual penetration test can begin before your PCI assessment, but you can’t be validated as PCI compliant before the testing is finished.

Get my free SecurityMetrics PCI Guide

Download Now

PCI DSS v4.0 Considerations for Requirement 11

Like other areas of the PCI DSS, the version 4.0 update includes additions and clarifications that impact an organization’s vulnerability discovery, testing, and treatment programs.

New internal vulnerability scanning requirements now call for “authenticated” internal scanning. This allows the scanner to simulate auser with access to systems, to better catch vulnerabilities that existin applications and other software that require users to log in first.

Organizations are now required to define and document their own penetration testing methodology. By doing this, you will be able to clearly communicate infrastructure details, unique attributes of systems and applications, and testing goals and requirements to the penetration testing partner you engage. This allows for more effective testing and more useful results, all in an effort to better secure your environment.

By: David Page
Security Analyst

Join Thousands of Security Professionals and Subscribe