Role of Penetration Testing in PCI DSS Requirement 11.3.4

The PCI DSS (Payment Card Industry Data Security Standards) details the best security practices for organisations, helping them defend themselves against potential threats. That’s why it’s so important that the DSS is regularly updated and with the latest version - the PCI DSS version 3.2 is about to be launched.

Penetration testing, which is sometimes referred to as "pentesting", helps to ensure that the cardholder data environment (CDE) is isolated from other networks. Also know as "ethical hacking", it can make sure that security controls are effective, it helps to discover new bugs you didn’t know about and more.

While that probably sounds worrying and may be enough to give you weeks of sleepless  nights as you ask "what if the testers find something?" or "what if the CDE isn’t isolated?". Pentesting is a massively invaluable tool in the fight against attacks. Once you know what the problem is, you can work to fix it!

What does PCI DSS 3.0 say about pentesting?

Specifically, requirement 11.3.4 of the PCI DSS explains that

“if segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.”

The documentation further explains that organizations must

“examine segmentation controls and review penetration-testing methodology to verify that penetration testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.”

Organisations must continuously review results from the most recent penetration tests which have to cover all segmentation methods (making sure that they are operational, effective and “isolate all out-of-scope systems from inscope systems”).

Moreover, it “should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE” and testing must be performed on annual basis too.

This practice is highly necessary and not just because it is a requirement under the PCI DSS (meaning that failure to do so would make an organisations non-compliant with the PCI DSS) but because failure to do it could leave your organisation vulnerable to an attack. For example, if the cardholder data environment is not separate from your other networks – like those which the public has access to – you could potentially face a breach as attackers can gain access to that data and use it for malicious means. Not only could that severely damage your reputation but you could see financial losses too.

Get your organisation up to speed

As the PCI DSS mentions, pentesting that you conduct must cover all segmentation methods. The problem is that this may be particularly time consuming for larger organisations. Plus, it has to be performed annually (to ensure that no issues have cropped up in the meantime).

However, you just cannot afford to drop the ball when it comes to pentesting. Does your organisation have enough money to cushion the fallout from a CDE breach? Is your public relations team big enough and talented enough to restore the company’s reputation if a breach happens – a breach that you possibly could have prevented by conducting penetration testing?

So to be PCI compliant, according to the PCI DSS, you will want to employ a trusted team of security professionals, ethical hackers that work in total confidentiality, integrity and availability when it comes to performing security tests like the ones described in this article. Complete our penetration test scoping questionnaire to receive your personalized quote.