A whitepaper containing important clarifications made in the PCI Council’s penetration test informational supplement.
|By: Gary Glover|
To ensure minimal confusion with new PCI DSS penetration test requirements (Requirement 11.3), the PCI Council released a much-needed penetration test informational supplement in March 2015.
SEE ALSO: Different Types of Penetration Tests for Your Business Needs
Download the whitepaper for a detailed analysis, or read on for a quick overview of the newest changes and additional guidance to PCI DSS penetration test requirements.
Use industry-accepted approachesNow, an industry-recognized methodology must be used when conducting a penetration test (e.g., NIST 800-115, OWASP Testing Guide, etc.).
Include critical systems in the penetration testIn PCI 3.0, pen testers are not supposed to neglect the critical systems in a merchant’s environment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.
Continue external and internal penetration testsThe definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did.
SEE ALSO: Types of Penetration Testing: The What, The Why, and The How
Start testing network segmentationSegmentation checks are new penetration tests that make sure merchants have segmented their network correctly.
Review of past vulnerabilities and threatsThis brand new requirement explains that both merchants and pen testers are responsible for reviewing a merchant’s past vulnerabilities.
ConclusionFor more information and details on the newest requirements, I encourage you to familiarize yourself with the informational supplement recently released by the PCI Council and download our whitepaper.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.