PCI DSS Requirement 11.3 specifies that all organizations who store, process or transmit cardholder information must include penetration tests as part of their information security program. These tests are separate and distinct from the vulnerability scans required by section 11.2.

Back in 2008, the PCI DSS Security Standards Council released clarifications to the penetration testing requirements that directly answered some of the most common penetration testing questions. In addition, the release of PCI DSS 2.0 included additional information on these tests. Below, we attempt to address some of the most commonly asked questions about PCI DSS penetration tests.

What must PCI DSS penetration tests include?

The standard requires that penetration tests include two elements: network layer penetration tests and application layer penetration tests. While the composition of the network layer tests is left to the discretion of the tester, the standard specifies that the following elements must be included in the application layer tests:

(continue reading…)

There’s a lot of talk about section 11.3 of the Payment Card Industry Data Security Standard (PCI DSS), requiring organizations to conduct penetration tests.  The language in this section of the standard reads:

11.3 Perform penetration testing at least once a year and after any significant infrastructure or
application upgrade or modification (such as an operating system upgrade, a sub-network added
to the environment, or a web server added to the environment). These penetration tests must
include the following:
11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests

When the standard first came out, the vagueness of this requirement caused quite a bit of confusion among compliance professionals attempting to understand how they’ll be held accountable by their merchant banks.

(continue reading…)