PCI SSC Clarifies Penetration Testing Requirement, 11.3

Those seeking to satisfy section 11.3 of the PCI DSS 1.1 have been provided new information on this requirement.  The publication is in line with other existing best practices and keeps the line of reasonableness and security firmly in place.  All organizations should review this important update.  It is a short 4 pages.  As is my style, a bit of highlights and analysis below.

A few key points:

  • Any internal or external party may conduct these evaluations – with a few reasonable qualifiers:
    • The individuals have experience conducting these engagements
    • The parties are independent (organizationally or from an external vendor).  This is dead in line with the much praised IIA Professional Standards guidance on independence.
  • Prudence in how these engagements are conducted is expected – i.e. conduct these pentests against the important systems, during approved time frames, and provide sufficient information to the pentester to ensure that the intent of the effort is satisfied (black vs. white testing)
  • The Scope of the pentest should include, “All locations of cardholder
  • data, all key applications that store, process, or transmit cardholder data, all key network
  • connections, and all key access points should be included.”
  • The frequency of these engagements should be at least annually (minimal requirement), and should be conducted with greater regularity based on the changes in the environment – i.e. switching from a hardware based network to a virtual network would be considered significant and require a penetration test)

As always, consider best practices, understand the intent, and apply appropriate controls for your own organization.


James DeLuccia


One response to “PCI SSC Clarifies Penetration Testing Requirement, 11.3

  1. My family all the time say that I am killing my time here at net,
    but I know I am getting experience everyday by reading thes nice posts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s