PCI DSS Penetration Testing
Requirement 11.3 of the Payment Card Industry Data Security Standard (PCI DSS) describes the need to regularly and frequently carry out penetration testing.
Penetration testing services for PCI DSS version 3.2 compliance
PCI DSS compliance, especially for Reports on Compliance (ROCs) and some self-assessment questionnaires (SAQs), requires internal and external vulnerability scans, and frequent penetration tests.
Penetration testing should include network and application layer testing, as well as controls and processes around the networks and applications. It should be conducted from both outside the network trying to come in (external testing), and from inside the network.
The importance of testing your cardholder data environment regularly
Although Requirement 11 of the PCI DSS mandates regular testing of security systems and processes, Verizon’s 2017 PCI Compliance Report shows that security testing retains its traditional place at the bottom of the list with only 71.9% of organisations achieving full compliance.
Yet payment card data is a prized commodity for cyber criminals and is usually the main target in attacks against commercial environments. Indeed, the 2017 Trustwave Global Security Report identified that more than half of the incidents investigated targeted payment card data.
How does penetration testing fit into my PCI project?
The scope of a penetration test, as defined in PCI DSS Requirement 11.3, must include the entire cardholder data environment (CDE) perimeter and any critical systems that may impact the security of the CDE, as well as the environment in scope for the PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (Local Area Network (LAN) attack surfaces).
The PCI DSS specifies that external and internal penetration testing should be performed at least annually, and after any significant infrastructure or application upgrade or modification within the target environment. Penetration testing is especially important in confirming whether your approach to segmenting your network is truly effective in isolating your CDE from other networks.
Get in contact
We have a team of account managers and security consultants to discuss your PCI DSS challenges. For more information, please contact us.
Speak to an expert
Please contact us for further information or to speak to an expert.