Does PCI DSS Require PCI Penetration Testing?

In one word? Yes. Requirement 11.3.4.1 of the Payment Card Industry Data Security Standard (PCI DSS) does mandate penetration testing — but not for everyone. In this article, we’ll discuss penetration testing and who is required by PCI DSS to perform it.

What is PCI Penetration Testing?

PCI DSS penetration testing a method for finding internal and external vulnerabilities on a network. This differs from your typical malware scanning in that rather than finding and ranking known vulnerabilities, you’re literally probing your network and environment to find new vulnerabilities — essentially, you’re trying to find ways to break it.

Penetration testing can take weeks in some cases — it requires a ton of attention and planning. Oftentimes, organizations will outsource this task and have a third party come in to handle it. This means that there’s some expense involved in PCI penetration testing.

Generally, there are two kinds of penetration tests:

• Manual
• Automated

It likely doesn’t take much guessing to deduce what that means, but we’ll spell it out for you anyway: A manual penetration test is what we just described. It involves a team of researchers looking for ways to break your environment by finding vulnerabilities and exploiting them. It’s comprehensive and provides a ton of insight for how you can harden your cyber defenses.

The automated sort uses a suite of tools to probe the environment for weaknesses. It’s effective, but not quite like having a team of actual people do it. Hackers and criminals think like people. Computers haven’t mastered that (yet).

Ok, So Does PCI DSS Require Penetration Testing?

Yes, PCI DSS Requirement 11.3 calls for penetration testing to be performed twice per year — or any time a major change to your environment occurs.

Now, before we get any further, there is some nuance to this. Let’s start by defining some terms. Your “environment” refers to literally any part of your organization that handles payment card information. Networks, physical terminals — anywhere that PCI is collected or passes through counts as part of your environment.

Second, PCI penetration testing must be performed both externally and internally. Most vulnerability scans only handle external surface space; you need to handle your internal network, too.

Third, a significant change to your environment is kind of a grey area that largely depends on your own internal calculus. What’s significant to one company may not be significant to others. But, generally things like OS upgrades, replacing firewalls or critical security devices, adding a new payment acceptance process, and moving portions or all of the environment to a cloud-hosted environment would constitute a significant change.

Lastly, this PCI DSS penetration testing requirement doesn’t apply to everyone.

So, Who IS Required to Do Penetration Testing?

The PCI DSS requirement that mandates penetration testing only applies to organizations that are service providers. This means that if 1) you store, process, or transmit cardholder data on behalf of someone else, AND 2) you use segmentation for PCI scope reduction, then this requirement affects you.

Segmentation just means the way you structure your network. If you’re segmenting it to protect cardholder data, you’ll need to do bi-annual penetration tests.

Again, if you check BOTH of those boxes, then you’re required to perform a penetration test.

What Do Industry Leaders Expect with Penetration Tests? What Are They Actually Requiring?

PCI DSS is looking for you to evaluate the scope and effectiveness of your segmentation controls. The reason it’s twice a year is to ensure that your segmentation is operating effectively throughout the year.

Again, this penetration testing is more than simply port scanning. That’s why many compliance experts advise organizations that can afford it to go the manual route and either staff their own or hire out a competent group of professionals to carry this out.

And keep in mind, you’re not just doing this for PCI compliance — at least you shouldn’t be. This process will genuinely improve your security, which better protects cardholder data. And that’s what this is all really about (or, at least, it should be).

PCI DSS wasn’t written to be onerous; it was written to protect people by mandating good security. Don’t miss the forest for the trees.