By Jeff Man, Security Strategist and Evangelist, Tenable Network Security, exclusively for CardNotPresent.com
When the PCI Security Standards Council (PCI SSC) published version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) in November 2013, there were several changes the organization felt were significant enough to warrant a grace period. That reprieve came to an end June 30, 2015, when those changes morphed from “best practice” to “requirement.” There are five new requirements found in PCI DSS v3.0/3.1 that go into effect on this date. This article will focus on the new penetration testing methodology requirement.
Write This Down
Version 3.0/3.1 is a significant overhaul of the previous PCI. Perhaps the most significant change is the expansion of the PCI DSS 11.3, requiring a documented penetration testing methodology that:
- Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
- Defines network-layer penetration tests to include components that support network functions as well as operating systems
- Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
- Specifies retention of penetration testing results and remediation activities results.
The implication, in case you missed it, is that you need to