How Do New Penetration Test Requirements Affect You?

A whitepaper containing important clarifications made in the PCI Council’s penetration test informational supplement. By: Gary GloverTo ensure minimal confusion with new PCI DSS penetration test requirements (Requirement 11.3), the PCI Council released a much-needed penetration test informational supplement in March 2015.Download the whitepaper for a detailed analysis, or read on for a quick overview of the newest changes and additional guidance to PCI DSS penetration test requirements.Use industry-accepted approachesNow, an industry-recognized methodology must be used when conducting a penetration test  (e.g., NIST 800-115, OWASP Testing Guide, etc.).Include critical systems in the penetration testIn PCI 3.0, penetration testers are not supposed to neglect the critical systems in a merchant’s environment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.Continue external and internal penetration testsThe definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did.Provide authentication in application-layer and network-layer penetration testingOne of the clarifications detailed in this section is that penetration testers need to conduct an authenticated pen test. This means the customer must provide the penetration tester with credentials to access the system, instead of requesting that he try to penetrate their system blindly.Start testing network segmentationSegmentation checks are new penetration tests that make sure merchants have segmented their network correctly. Review of past vulnerabilities and threatsThis brand new requirement explains that both merchants and penetration testers are responsible for reviewing a merchant’s past vulnerabilities.ConclusionFor more information and details on the newest requirements, I encourage you to familiarize yourself with the informational supplement recently released by the PCI Council and download our whitepaper.Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.