Get started Bring yourself up to speed with our introductory content.

How PCI 3.0 changes the PCI DSS penetration testing requirement

The PCI DSS penetration testing requirement becomes more rigorous with the release of PCI 3.0. Expert Mike Chapple details the change.

I saw that the PCI DSS 3.0 preview made penetration testing a requirement for everyone, including SMBs. Could you detail what exactly is required out of PCI DSS penetration tests to achieve compliance? What do you think would be the cheapest method for SMBs to meet this requirement?

Also see:

Ed Moyle analyzes the five most important PCI 3.0 changes.

You are correct. The Payment Card Industry Data Security Standard (PCI DSS) does indeed require that all merchants conduct penetration testing to ensure the security of their environments. While pen tests aren't actually a new requirement in PCI DSS 3.0, the recently released draft revision includes language that applies a new degree of rigor to penetration testing. Here are some of the key changes to the PCI DSS penetration testing requirement:

  • Penetration tests must be based upon an industry-accepted model, such as the NIST SP 800-115 framework.
  • Testing must cover the entire cardholder data environment, including the effectiveness of any controls designed to reduce the environment's scope.
  • It must cover both application-layer and network-layer threats.

Penetration testing must be done from both an internal and external perspective on an annual basis and after any significant change in the infrastructure or applications. Additionally, any exploitable vulnerabilities discovered during the test must be addressed and retested.

There is one piece of good news: Unlike most of the PCI DSS 3.0 changes that go into effect at the beginning of 2014, organizations have until July 15, 2015, to comply with the new provisions of section 11.3 covering penetration testing. Until that date, they may continue to follow existing procedures that comply with PCI DSS 2.0.

This was last published in November 2013

Dig Deeper on PCI Data Security Standard

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I think that penetration testing should not be the single line of defense or the only point at which you look for problems.The goal of penetration testing is to find anything that was missed during the design review or code review.
Indeed, vulnerabilities should be minimized and only a few critical ones should surface in penetration testing. Vulnerabilities, after all, are architecture, design or coding mistakes that ideally should be prevented or caught well before verification.
Here is a great blog article related to how to reduce application security risk and how to build more security software - http://blog.securityinnovation.com/blog/2012/05/want-to-reduce-application-security-risk-build-more-secure-software.html