PCI Requirements: Penetration Test

The PCI Security Standards Council's Data Security Standard Requirement 11.3

Most organizations find that an third-party test performed by a qualified IT security firm is not only the most efficient way to satisfy PCI compliance, but it also provides the most accurate, objective and thorough assessment.

What is a Penetration Test?

A penetration test attempts to exploit previously identified vulnerabilities to determine whether unauthorized access or other malicious activity is possible.

What are the PCI Requirements for Pen Testing?

According to the PCI Security Standards, penetration testing "should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network."

The PCI DSS allows the penetration test to be performed by either a qualified internal resource or a qualified third party. It is important to note that if internal resources are being used to perform penetration tests, those resources must be experienced penetration testers, and should be "organizationally separate from the management of the environment being tested." 

For more information, including the full scope of PCI DSS requirements download the PCI DSS Pentration Testing Requirements Document. Or contact ICS to learn more.