PCI DSS version 3.0 Penetration Testing Guide

It’s been noted that many merchants aren’t complying properly with the penetration testing requirement found in section 11 of the PCI DSS.  In PCIv3 the penetration testing guidelines have been updated.  The changes in penetration testing for PCI 3.0 are a best practice until June 30, 2015.  After that date, merchants can no longer follow the PCI v2 penetration testing guidelines.

You might be wondering, “How does this affect me and what do I need to do to be compliant with penetration testing in PCI DSS version 3.0?”

Before going any further, you might just make sure that penetration testing is required for your business.  If you are eligible to use one of the Self Assessment Questionnaires, check to see if your SAQ document has section 11.3.  If section 11.3 is not included, the penetration testing is optional.

Assuming that you know penetration testing is required for your business, keep in mind the refinements contained in PCI version 3.0 regarding penetration testing.  If you are looking for a penetration testing vendor for PCI compliance, ensure that any testing follows these guidelines:

  1. Penetration testing methodology must be based on industry-accepted approaches such as NIST SP800-115.
  2. Testing must include the entire cardholder data environment (CDE).
  3. Testing must be performed from an external and internal perspective.
  4. Segmentation controls, or controls that reduce the scope of the CDE, must be tested for effectiveness.
  5. The assessment needs to include both application-layer and network-layer testing.
  6. Any exploitable vulnerabilities must be addressed and retested.

All members of Backbone Security’s 1 Stop PCI Scan team are qualified to perform PCI 3.0 penetration tests, holding advanced penetration testing certifications.  Backbone Security employs Offensive Security Certified Professionals (OSCP), a credential specifically highlighted in the PCI Security Standards March 2015 penetration testing guidance.