An industry-recognized methodology must be used when conducting a penetration test.
UPDATE: Read about PCI 3.2's new requirements for penetration testing!
To ensure minimal confusion with new PCI DSS penetration test requirements (Requirement 11.3), the PCI Council released a much-needed penetration test informational supplement in March 2015.
See also: Different Types of Penetration Tests for Your Business Needs
Download the whitepaper for a detailed analysis, or read on for a quick overview of the newest changes and additional guidance to PCI DSS penetration test requirements.
Now, an industry-recognized methodology must be used when conducting a penetration test (e.g., NIST 800-115, OWASP Testing Guide, etc.).
In PCI 3.0, pen testers are not supposed to neglect the critical systems in a merchant’s environment. Their scope for the pen test should exceed outside of the card data environment, and include any critical systems present in the merchant environment.
See also: SecurityMetrics PCI Guide
The definition of internal and external testing didn’t change in 3.0, but the merchants required to have an external or internal test did.
See also: Types of Penetration Testing: The What, The Why, and The How
One of the clarifications detailed in this section is that pen testers need to conduct an authenticated pen test. This means the customer must provide the pen tester with credentials to access the system, instead of requesting that he try to penetrate their system blindly.
Segmentation checks are new penetration tests that make sure merchants have segmented their network correctly.
This brand new requirement explains that both merchants and pen testers are responsible for reviewing a merchant’s past vulnerabilities.
For more information and details on the newest requirements, I encourage you to familiarize yourself with the informational supplement recently released by the PCI Council and download our white paper.
.svg)
