A white paper with important clarifications made in the PCI Council’s penetration test informational supplement.
To ensure minimal confusion with new PCI DSS penetration test requirements (Requirement 11.3), the PCI Council released a much-needed penetration test informational supplement in March 2015.
SEE ALSO: Different Types of Penetration Tests for Your Business Needs
Download the whitepaper for a detailed analysis, or read on for a quick overview of the newest changes and additional guidance to PCI DSS penetration test requirements.
New PCI DSS penetration test requirements
Use industry-accepted approaches
Now, an industry-recognized methodology must be used when conducting a penetration test (e.g., NIST 800-115, OWASP Testing Guide, etc.).
Include critical systems in the penetration test
In PCI 3.0, pen testers are not supposed to neglect the critical systems in a merchant’s environment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.
Continue external and internal penetration testsThe definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did.
SEE ALSO: Types of Penetration Testing: The What, The Why, and The How
Provide authentication in application-layer and network-layer penetration testingOne of the clarifications detailed in this section is that pen testers need to conduct an authenticated pen test. This means the customer must provide the pen tester with credentials to access the system, instead of requesting that he try to penetrate their system blindly.
Start testing network segmentationSegmentation checks are new penetration tests that make sure merchants have segmented their network correctly.
Review of past vulnerabilities and threatsThis brand new requirement explains that both merchants and pen testers are responsible for reviewing a merchant’s past vulnerabilities.
ConclusionFor more information and details on the newest requirements, I encourage you to familiarize yourself with the informational supplement recently released by the PCI Council and download our whitepaper.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI Audit experience and 25 years of Star Trek quoting skills. Live long and prosper.