PCI DSS Penetration Testing Services
PCI DSS stands for Payment Card Industry Data Security Standard. It’s the rulebook that governs how customer card data gets managed. Recently, it was adapted to require both a vulnerability scan and a pen test. The vulnerability assessment and penetration test must include the perimeter of the Cardholder Data Environment (CDE) and any systems which, if compromised, could impact the security of the CDE. Pen tests must be performed at least once annually and every six months for service providers.
Penetration Testing assesses the controls used to protect the CDE for PCI DSS
Speficically, PCI DSS 3.2 distinguishes between a vulnerability scan (Requirement 11.2) and a penetration test (Requirement11.3), both of which are required for PCI DSS compliance. PCI DSS Requirement 18.104.22.168 requires an organization perform penetration testing on CDE segmentation controls every six months. The PCI Security Standard Council's guidance states organizations should:
Examine the results from the most recent penetration test to verify that:
- Penetration testing is performed to verify segmentation controls at least every six months and after any changes to segmentation controls/methods.
- The penetration testing covers all segmentation controls/methods in use.
- The penetration testing verifies that segmentation controls/methods are operating and effective, and isolate all out-of-scope systems from systems in the CDE.
- Verify that the test was performed by a qualified internal resource or qualified external third party and, if applicable, organizational independence of the tested exists (not required to be a QSA or ASV)
Although PCI DSS only specifies a penetration test every 180 days, we recommend a quarterly program that includes validation testing.
Contact us for a free consultation on penetration testing.