Understanding PCI DSS Pen Testing Requirements – Five FAQs
Drummond Group, LLC
Trusted providers of advisory, assessment, testing, and certification services for highly-regulated industries.
Penetration testing serves as a vital tool in gauging the effectiveness of your security position, bringing to light vulnerabilities in your organization’s network that may otherwise be exploited by malicious actors if not resolved. The ability to identify threats is essential, as the audacity of cyberattacks has progressed at a staggering rate. In response to this elevated attack frequency, the Payment Card Industry Security Standards Council has continuously updated guidelines that provide expert insight on fortifying one’s defenses against Payment Card Industry (PCI) related security threats.
The most recent iteration was PCI DSS 4.0, released on March 31, 2022, which includes a refreshed suite of penetration test best practices generated to help organizations foster robust PCI security within their networks. Following the introduction of PCI DSS 4.0, the Payment Card Industry Security Standards Council announced that the previous set of PCI guidelines (PCI DSS v3.2.1) would be officially retired as of March 31, 2024.
That said, organizations that have not incorporated PCI DSS 4.0 best practices into their pentest framework should start immediately, as several compliance requirements have been given an effective date of March 31, 2025.
To help optimize your journey to PCI DSS 4.0 compliance, here are the answers to five frequently asked penetration test questions so your organization can efficiently and effectively satisfy its requirements:
#1 – Who Should Perform My Pentest?
Pen testing is a PCI DSS 4.0 requirement that helps organizations safeguard sensitive data. Due to its extreme importance, testing should be performed by an internal team member equipped with the necessary expertise to conduct a penetration test or by engaging a trusted external third-party cybersecurity services provider. Saying that, choosing a third-party provider for penetration testing offers several advantages including:
In short, outsourcing penetration testing provides a proficient and impartial service that aligns your security measures with industry standards, empowering internal IT resources to focus on holistically boosting your productivity.
#2 – What’s The Correct Scope for My Pentest?
Under PCI DSS 4.0 compliance requirements, internal (identifying vulnerabilities that could be exploited by actors with initial access to one’s network) and external (to identify potential weaknesses of internet-facing assets like email, websites, and ftp servers) penetration testing of the Cardholder Data Environment (CDE) is mandated. Additionally, organizations must conduct comprehensive full-stack penetration testing, encompassing network and application layers, with appropriate scoping. Every digital component linked to the CDE, such as networks, cloud infrastructures, hybrid environments, and applications like APIs and web applications, must also be incorporated into the penetration testing scope to ensure readiness for PCI DSS 4.0 compliance.
领英推荐
#3 – How Long Should I Retain My Pentest Results?
The compliance standards of PCI DSS 4.0 emphasize the importance of keeping penetration testing results and remediation activities for at least 12 months. This retention period ensures accountability and enables organizations to track their progress in addressing identified vulnerabilities over time.
#4 – How Frequently Should I Perform a Penetration Test?
Penetration tests must be performed annually for organizations with segmented and non-segmented data environments. That said, any time your infrastructure or application level is significantly upgraded or modified, another test must be performed. Conversely, penetration test frequency differs for service providers utilizing segmented data environments, as they must conduct a penetration test at least once every six months and after any changes are made to segmentation controls or methods.
#5 – Do Multi-Tenant Service Providers Have Any Specific Requirements?
Multi-tenant service (also referred to as shared service) providers are required to support their clients’ need for technical testing, as outlined in requirements 11.4.3 and 11.4.4. This requirement applies exclusively to multi-tenant service providers and offers two compliance options. They can present evidence to their clients demonstrating that penetration testing aligning with requirements 11.4.3 and 11.4.4 was performed on the subscribed infrastructure. Or they can grant prompt access to each customer, enabling the customer to conduct their own penetration testing.
Any evidence provided to clients can include redacted penetration testing results, but they need to include sufficient information to prove that all elements of requirements 11.4.3 and 11.4.4 have been met on the customer’s behalf. This obligation, outlined in Appendix A1 of the PCI DSS Requirements for Multi-Tenant Service Providers, is considered a best practice until March 31, 2025, after which it becomes effective during PCI DSS evaluations.
The Bottom Line
With the rampant and sophisticated nature of cyberattacks today, the importance of robust security measures cannot be overstated. Furthermore, best practices such as those included in the PCI DSS 4.0 should be considered essential to safeguard your PCI data and ensure the integrity of your sensitive data. Drummond can help you incorporate these best practices into your PCI security framework, as we offer robust application and network-level penetration testing services ranging from SQL Injection, Input Validation Bypass, and Session Hijacking with results verified manually by our top PCI security experts. Through partnering with Drummond your organization can take an optimized route to PCI DSS 4.0 compliance, enhancing your security posture and demonstrating PCI compliance excellence to your stakeholders and customers.