PCI DSS Penetration Testing Requirements Detailed Explanation

PCI DSS Penetration Testing Requirements Detailed Explanation

PCI DSS Requirement 11, commonly referred to as the “Pentest requirement,” mandates any company that processes, stores, and transmits electronic card transactions to conduct one PCI penetration Testing annually. Additionally, the requirement states that organizations must conduct a penetration test each time a significant change occurs to network infrastructure or applications. What is deemed “significant” depends on an entity’s risk assessment process and the unique IT environment. Penetration testing of such changes will ensure that controls assumed to be in place continue to work effectively after the upgrade or modification.

PCI Penetration Testing No Longer Optional But Mandatory

With version 3.1 of the PCI-DSS, PCI penetration testing is no longer optional but mandatory. Furthermore, PCI-DSS v3.1 requirements are more stringent than merely having any un-benchmarked penetration test performed on your cardholder environment.

It is found that PCI Requirement 11 (Regularly test security systems and processes), which calls for the regular testing of security systems and processes, was the least complied with, although many security professionals consider it one of the straightforward provisions in the report.

The two major things that come under Requirement 11 are

  1. Penetration Testing
  2. Vulnerability Assessment

Conducting a penetration test will allow you to discover the vulnerabilities in your IT infrastructure and correct them before they can be exploited by hackers. One of the oldest and most trusted methods for assessing security risks is penetration testingPCI Penetration Testing is designed to simulate a real-world attack using the tools and techniques employed by actual hackers. It provides realistic examples of how a real hacker could compromise sensitive data. A PCI DSS Penetration Test involves the technical testing of your internal information resources and externally accessible networks, firewalls, IDS, routers, switches, servers, and services as they pertain to your business’ credit card environment.

Requirement 11 in brief (Defined by PCI Security Council)

Below mentioned are the requirements mentioned by the PCI Security council as mandatory to be followed. This is an important requirement as it is about testing the security of the systems.
11.1 Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized wireless access points quarterly.
11.1.1 Maintain an inventory of authorized wireless access points including a documented business justification.
11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
11.2.1 Perform quarterly internal vulnerability scans and rescans as needed until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.
11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed until passing scans are achieved.
11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.
11.3 Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.3 Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.
11.3.4 If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
11.4 Use intrusion detection and/or intrusion prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion detection and prevention engines, baselines, and signatures up to date.
11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
11.5.1 Implement a process to respond to any alerts generated by the change-detection solution.
11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties.