Penetration TestingPCI DSS Requirement 11.3 specifies that all organizations who store, process or transmit cardholder information must include penetration tests as part of their information security program. These tests are separate and distinct from the vulnerability scans required by section 11.2.

Back in 2008, the PCI DSS Security Standards Council released clarifications to the penetration testing requirements that directly answered some of the most common penetration testing questions. In addition, the release of PCI DSS 2.0 included additional information on these tests. Below, we attempt to address some of the most commonly asked questions about PCI DSS penetration tests.

What must PCI DSS penetration tests include?

The standard requires that penetration tests include two elements: network layer penetration tests and application layer penetration tests. While the composition of the network layer tests is left to the discretion of the tester, the standard specifies that the following elements must be included in the application layer tests:

  • Injection flaws (SQL injection, OS command injection, LDAP injection, XPath injection)
  • Buffer overflow vulnerabilities
  • Insecure use of cryptographic storage
  • Unencrypted or improperly encrypted sensitive communications
  • Information leakage via error messages
  • Cross-site scripting (XSS)
  • Insecure direct object references
  • Failure to restrict URL access
  • Directory traversal vulnerabilities
  • Cross-site request forgery (XSRF, CSRF)
  • Other vulnerabilities identified as high risk during your risk assessment

How often are PCI DSS penetration tests required?

The standard requires that you perform both internal and external penetration tests at least once a year. These annual tests must be supplemented with additional tests any time you make significant changes to your cardholder data environment. The PCI DSS definition of significant change includes the addition of a server, upgrades of applications and/or operating systems, and changes in network structure.

Can we perform penetration tests ourselves?

Yes. While you can certainly use a QSA or ASV for your penetration test, this is not a requirement. You may use a “qualified internal resource” provided that he or she has organizational independence from those responsible for securing your cardholder data environment.

How must we document our penetration tests?

PCI DSS does not contain any explicit documentation requirements. However, you should clearly document the methodology and results of your tests as evidence that they took place in the event you are audited. Your documentation should include the date and structure of the tests, the identity and credentials of anyone involved in performing the tests, the results of the test and any action taken to remediate vulnerabilities identified during the test.

What will the QSA be looking for when auditing my penetration tests?

PCI DSS instructs QSAs to look for the following items when auditing penetration tests:

  • Evidence that penetration tests take place on an annual basis and after any changes to the cardholder data environment
  • Evidence that “exploitable vulnerabilities” were addressed and the penetration test was repeated after the vulnerabilities were corrected
  • Evidence that the tests were performed by qualified individuals who are organizationally independent from those responsible for securing the environment
  • Evidence that the tests included network layer testing of both network components and operating systems
  • Evidence that the tests included application layer testing as described above

My question isn’t answered here, what should I do?

Ask us in the comments section below! We’ll try to find you an answer. Remember, however, that your merchant bank is the ultimate arbiter of PCI DSS compliance questions and we can only provide you with best practice advice based upon our experiences with our clients.