PCI Requires Pen Testing

Viewing 13 reply threads
  • Author
    • #2543
      Don Donzal

      This is great news for all of us in the field. It basically means that many companies are being forced by law to use ethical hackers. Yeah!!

      I can’t stress enough how vastly important it is that everyone read this thoroughly and understand it. I’m pretty confident that other industries will follow suit.

      Release date: 2008-04-15
      Standard: Data Security Standard (DSS)
      Requirement: 11.3
      Date: March 2008

      Information Supplement: Requirement 11.3 Penetration Testing


      PCI DSS Requirement 11.3 addresses penetration testing, which is different than the external and internal vulnerability assessments required by PCI DSS Requirement 11.2. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing should include  network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network. Who performs penetration testing The PCI DSS does not require that a QSA or ASV perform the penetration test—it may be performed by either a qualified internal resource or a qualified third party. If internal resources are being used to perform penetration tests, those resources must be experienced penetration testers. The individuals performing penetration testing should be organizationally separate from the management of the environment being tested. For example, the firewall administrator should not perform the firewall-penetration testing.

      Reporting and documentation

      It is recommended that both the penetration test methodologies and results are documented. PCI SSC has no reporting requirements for penetration tests, however the results should be retained to follow up on the identified issues and as evidence to be reviewed by those performing the PCI DSS assessment.


      The scope of penetration testing is the cardholder data environment and all systems and networks connected to it. If network segmentation is in place such that the cardholder data environment is isolated from other systems, and such segmentation has been verified as part of the PCI DSS assessment, the scope of the penetration test can be limited to the cardholder data environment. Frequency Penetration testing should be performed at least annually and anytime there is a significant infrastructure or application upgrade or modification (for example, new system component installations, addition of a sub-network, or addition of a web server). What is deemed “significant” is highly dependent on the configuration of a given environment, and as such cannot be defined by PCI SSC. If the upgrade or modification could impact or allow access to cardholder data, then it should be considered significant. Significance within a highly segmented network where cardholder data is clearly isolated from other data and functions is very different than significance in a flat network where every person and device can potentially access cardholder data. As a security best practice, all upgrades and modifications should be penetration-tested to ensure that controls assumed to be in place are still working effectively after the upgrade or modification.


      There are several methodologies that can be used for penetration testing. The first decision that needs to be made is how much knowledge the tester has of the system being tested. Having no prior knowledge is known as “black box testing,” where the tester must first identify the location of the systems before attempting any exploits. Having explicit knowledge is known as “white box testing.” If it is determined that it would be beneficial for the tester to have prior knowledge, there are several items required by other PCI DSS requirements that generate information that can be used. Those PCI DSS items include:

      • A network diagram (1.1.2)
      • Results from a QSA review or Self-Assessment Questionnaire (SAQ)
      • Annual testing of controls to identify vulnerabilities and stop unauthorized access (11.1)
      • Results from quarterly external and internal vulnerability scans (11.2)
      • Results from the last penetration test (11.3)
      • Annual identification of threats and vulnerabilities resulting in a risk assessment (12.1.2)
      • Annual review of security policies (policies that need to be updated may identify new risks in an organization) (12.1.3)

      Documentation from all of the above should be evaluated, and threats and vulnerabilities found as part of the normal assessment processes should be considered for inclusion.


      Once the threats and vulnerabilities have been evaluated, design the testing to address the risks identified throughout the environment. The penetration test should be appropriate for the complexity and size of an organization. All locations of cardholder data, all key applications that store, process, or transmit cardholder data, all key network connections, and all key access points should be included. The penetration tests should attempt to exploit vulnerabilities and weaknesses throughout the cardholder data environment, attempting to penetrate both at the network level and key applications. The goal of penetration testing is to determine if unauthorized access to key systems and files can be achieved. If access is achieved, the vulnerability should be corrected and the penetration test re-performed until the test is clean and no longer allows unauthorized
      access or other malicious activity.


      Consider including all of these penetration-testing techniques (as well as others) in the methodology, such as social engineering and the exploitation of exposed vulnerabilities, access controls on key systems and files, web-facing applications, custom applications, and wireless connections.

      Important Considerations

      • With respect to PCI compliance, testing of vulnerabilities or mis-configurations that may lead to DoS attacks which target resource (network/server) availability should not be taken into consideration by the penetration testing since these vulnerabilities would not lead to compromise of cardholder data.
      • Communicate timing and scope of penetration testing to all affected parties throughout the organization.
      • Perform testing in accordance with critical company processes including change control, business continuity, and disaster recovery.
      • Perform all penetration testing during a monitored maintenance window.

      About the PCI Security Standards Council

      The mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness of the PCI Data Security Standard and other standards that increase payment data security.

      The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement, and dissemination of the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements, and the Payment Application Data Security Standard (PA-DSS). Merchants, banks, processors,
      and point-of-sale vendors are encouraged to join as Participating Organizations.



    • #18401

      Thanks for the post Don!  Great information.  I hope everybody starts requiring this.  MONEY!!!!!  ;D

    • #18402

      This has come up on us quick, as I didn’t know they had added the additional pen test requirements until very recently.  Is there a good way to keep informed about changes from PCI?  I knew about the 1.2 update because that was broadcast from several sites, but some of their other modifications are not very well announced in my opinion.  I went to the PCI council web site but didn’t see a sign-up for alerts or announcements.


    • #18403

      Mmmmm job security. Then again, when has PCI requiring something started getting companies to do it? *cough*TJX*cough*

    • #18404

      Looks like a good move from our side, but how many ‘IT professional services’ companies are going to start offering pen-tests because one of their engineers has been able to install Nessus.

      It could result in more ‘ethical hackers’ on the market, flooding what until now has been a specialist niche. I hope the PCI auditors can tell the difference between a pentest report and a cowboy hat.

      It’s Christmas and I’m still pessimistic and paranoid…

    • #18405
      Artful Dodger

      I agree with Jason.  I work with several PCI needy companies that try to skirt the issues.  Some of them dont know that they need the pen testing until we show them in writing.  Then there is the argument that they do the vulnerability scan and “what is the difference”.  It is a battle, but when it boils down to it, I get paid to break stuff (pentest) and find stuff (forensics).  I cannot complain about the hardships:)

      Role, I bet it does bring out some “posers”.  But that is OK.  I think that will just bring awareness and help set standards.  Hopefully…it is x-mas and I am trying my hardest to look at the bright side!

    • #18406

      I don’t think we will see all that many “posers” for PCI Pen Tests.  The requirements to become a Qualified Security Assessor for PCI are fairly strict.  Any actual IT Security company could get certified but just having a person who can run Nessus isn’t going to cut it to become a QSA. 

      You can check out the requirements here.  Companies have to shell out some time and money to become certified.  Any individuals performing PCI security assessments have an annual training requirement.

    • #18407
      Artful Dodger

      Your right on the qualifications to be a QSA.  But the pen test requirement can be done by anyone.  That is were people that decided to try BackTrack are going to jump in the business.

      any way you look at it, if you are good at what you do, this is a good thing.

    • #18408

      Late reply on this one, but fully agree with everyone.  This is great news for ethicalhackers and pentesters, as it opens the door for us to move into the private sector more, and showcase / utilize our abilities both in a positive light, and to grow our business.  I’ve already been in touch with a few banks and such, where I have contacts, who are looking forward to having me perform pentesting services for them.

      I’ll say ‘Thank you!’ to the govt regulators who thought this through, and wisely implemented the requirements!

    • #18409

      Afew onth ago that I read this post I did not pay to much atention, but noew when the circunstances are different, YESS ;D

    • #18410

      @hayabusa wrote:

      I’ll say ‘Thank you!’ to the govt regulators who thought this through, and wisely implemented the requirements!

      An issue with PCI’s requirements that I have is, it sort of brought down the value of a “true pentest” in the sense that “Walmart like” Nessus based scanning fraudsters are pitching a Nessus scan as a pentest. So whereas before no one would blink at a $50k RFP I sent them, now they’re like “Well FoobarSecurityInTheBasement.Com is having a special! $5.00 on testing!”

      Many small businesses tend to go with the lowlevel “we didn’t know this wouldn’t find much approach” and call it a day shifting the risk at a lower cost. The mid-to-large sized companies are doing things more and more in-house. As for the boutique companies and contractors 😉 It’s always best to do something out of the ordinary and memorable. I get contracting gigs from time to time on an extremely “WTF” level. E.g., High Level CxO loaded with a 20k sq ft house is paranoid about his networks, camera system, etc. friend of a friend recommended me for this, don’t know why. First thing I thought of was, who the hell sleeps in a 20k ft house.

      When you stand out, do something different, unique, you can be certain that you can name your price however, don’t blink and try to dumb down a price. Real security managers know the value of testing. I actually disliked the PCI mandate for pentesting. The reality of it is, even as a pentester, that could NOT stop against human stupidity via way of client side attacks

    • #18411

      L-O-L… point well made.

    • #18412

      As an FYI, if you’re not on the mailing list, you should join (pentesting). There is an ongoing thread about this right now. (Pros versus Joes) http://seclists.org/pen-test/2010/Aug/3

    • #18413

      Yep, I received a lot of those emails today, very interesting

Viewing 13 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?