A whitepaper containing important clarifications made in the PCI Council’s penetration test informational supplement.

Gary Glover, Director Security Assessment, SecurityMetrics
By: Gary Glover
UPDATE: Read about PCI 3.2's new requirements for penetration testing!

To ensure minimal confusion with new PCI DSS penetration test requirements (Requirement 11.3), the PCI Council released a much-needed penetration test informational supplement in March 2015.

SEE ALSO: Different Types of Penetration Tests for Your Business Needs

Download the whitepaper for a detailed analysis, or read on for a quick overview of the newest changes and additional guidance to PCI DSS penetration test requirements.

penetration test requirements

Use industry-accepted approaches

Now, an industry-recognized methodology must be used when conducting a penetration test  (e.g., NIST 800-115, OWASP Testing Guide, etc.).

Include critical systems in the penetration test

In PCI 3.0, pen testers are not supposed to neglect the critical systems in a merchant’s environment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.

Continue external and internal penetration tests

The definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did.

SEE ALSO: Types of Penetration Testing: The What, The Why, and The How

penetration testing methodology Provide authentication in application-layer and network-layer penetration testing

One of the clarifications detailed in this section is that pen testers need to conduct an authenticated pen test. This means the customer must provide the pen tester with credentials to access the system, instead of requesting that he try to penetrate their system blindly.

Start testing network segmentation

Segmentation checks are new penetration tests that make sure merchants have segmented their network correctly.

Review of past vulnerabilities and threats

This brand new requirement explains that both merchants and pen testers are responsible for reviewing a merchant’s past vulnerabilities.


For more information and details on the newest requirements, I encourage you to familiarize yourself with the informational supplement recently released by the PCI Council and download our whitepaper.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

Current Hacking Trends Ebook