PCI Requirement 11: Vulnerability Scans and Penetration Tests

Learn why you should include scans and pen tests in your info security program. 

Defects in web servers, web browsers, email clients, POS software, operating systems, and server interfaces can allow attackers to gain access to an environment. Installing security updates and patches for systems in the cardholder or sensitive data environments can help correct many of the newly found defects and vulnerabilities before attackers have the opportunity to leverage them.

But in order to patch these vulnerabilities, you need to find them first. For that you need to implement vulnerability scanning and penetration testing.

The basics of vulnerability scanning

A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. All external IPs and domains exposed in the CDE are required to be scanned by a PCI Approved Scanning Vendor (ASV) at least quarterly.

PCI DSS requires two independent methods of PCI scanning: internal and external scanning. An external vulnerability scan is performed outside of your network, and it identifies known weaknesses in network structures. An internal vulnerability scan is performed within your network, behind the firewall and other perimeter security devices in place, to search for vulnerabilities on internal hosts that could be exploited in a pivot attack.

Typically, these vulnerability scans generate an extensive report of vulnerabilities found and provides references for further research on the vulnerability. Some even offer directions to fix the problem.

Remember, regular scanning is just the first step. Act quickly on any vulnerabilities discovered to ensure security holes are plugged and then re-scan to validate that the vulnerabilities have been successfully addressed. Often times organizations that have the best process have the best security.

SEE ALSO: Vulnerability Scans 101: What, Why and How to Comply

The basics of penetration testing

Just like a hacker, penetration testers analyze network environments, identify potential vulnerabilities, and try to exploit those vulnerabilities (or coding errors). In simple terms, analysts attempt to break into your company’s network to find security holes.

PCI DSS Requirement 11.3 (applicable to SAQ C and SAQ D) requires internal and external penetration testing of both the network and application layers of the CDE. But penetration testing isn’t limited to the PCI DSS. Any company that would like an unbiased look at their information security posture, should consider having a penetration test performed.

The time it takes to conduct a penetration test varies based on network size, network complexity, and the number of penetration test staff members assigned. A small environment can be completed in a few days, but a large environment can take several weeks.

Typically, penetration test reports contain a long, detailed description of attacks used, testing methodologies, and suggestions for remediation.

SEE ALSO: How Much Does a Pentest Cost?

Defining a significant change

In addition to annual penetration tests and quarterly vulnerability scans, you’ll want to perform these vulnerability assessments whenever significant infrastructure or application changes occur to determine if the changes made introduced any new vulnerabilities in the environment.

PCI DSS Requirement 11.3 requires that penetration testing be performed after any ‘significant change’ to the CDE. Due to the cost and time required to perform a penetration test, organizations often claim no significant changes have been made to their PCI environment.

How do you know when a change to the CDE is considered significant? What might be considered a major change to a smaller organization may only be a minor change in a large environment. While this should be an internal risk-based decision, here are some examples of changes that would be considered significant: OS upgrade for CDE system, replacing firewall or critical security device, adding a new payment acceptance process, moving portions or all of the environment to a cloud-hosted environment. The process your organization follows to determine if a change to the CDE is significant should be documented in internal policy and procedure documents

Penetration testing can be performed internally, if an organization has staff who are qualified to perform penetration tests and who are also independent from the systems being tested.  Someone who is actively involved in the management and configuration of systems in the CDE shouldn’t also perform the penetration test, as they would not be considered independent.  If a company lacks either the skills necessary to perform a test or the organizational independence, tests should be performed by a third-party penetration tester.

SEE ALSO: Different Types of Penetration Tests for Your Business Needs

Difference between penetration tests and vulnerability scans

As a review, vulnerability scanning, whether internal or external, is not the same as penetration testing. 


Here are two big differences:

1. A vulnerability scan is automated, while a penetration test includes a live person actually digging into the complexities of your network. 

2. A vulnerability scan only identifies potential vulnerabilities.  During a penetration test the tester will verify the exploitability of the vulnerability and look to identify the root cause of the vulnerability that allows access to secure systems or stored sensitive data. 


Vulnerability scans and penetration tests work together to encourage optimal network security. Vulnerability scans are great weekly, monthly, or quarterly insight into your network security, while penetration tests are a more thorough assessment of your overall information security posture. 


Need help with finding vulnerabilities? Talk to us about vulnerability scanning and penetration testing!

Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.