{"id":1746,"date":"2019-10-18T14:55:09","date_gmt":"2019-10-18T14:55:09","guid":{"rendered":"https:\/\/www.thesslstore.com\/resources\/?p=1746"},"modified":"2019-10-18T14:56:20","modified_gmt":"2019-10-18T14:56:20","slug":"does-pci-dss-require-pci-penetration-testing","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/","title":{"rendered":"Does PCI DSS Require PCI Penetration Testing?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In one word? Yes. Requirement 11.3.4.1 of the <a href=\"https:\/\/www.pcisecuritystandards.org\/pdfs\/pci_ssc_quick_guide.pdf\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Payment Card Industry Data Security Standard<\/a> (PCI DSS) does mandate penetration testing \u2014 but not for everyone. In this article, we\u2019ll discuss penetration testing and who is required by PCI DSS to perform it. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is PCI Penetration Testing?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PCI DSS penetration testing a method for finding internal\nand external vulnerabilities on a network. This differs from your typical\nmalware scanning in that rather than finding and ranking known <a href=\"https:\/\/www.thesslstore.com\/resources\/what-is-an-asv-vulnerability-scan\/\">vulnerabilities<\/a>,\nyou\u2019re literally probing your network and environment to find new\nvulnerabilities \u2014 essentially, you\u2019re trying to find ways to break it. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Penetration testing can take weeks in some cases \u2014 it\nrequires a ton of attention and planning. Oftentimes, organizations will\noutsource this task and have a third party come in to handle it. This means\nthat there\u2019s some expense involved in PCI penetration testing. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Generally, there are two kinds of penetration tests:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Manual<\/li><li>Automated<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">It likely doesn\u2019t take much guessing to deduce what that\nmeans, but we\u2019ll spell it out for you anyway: A manual penetration test is what\nwe just described. It involves a team of researchers looking for ways to break\nyour environment by finding vulnerabilities and exploiting them. It\u2019s\ncomprehensive and provides a ton of insight for how you can harden your cyber\ndefenses.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The automated sort uses a suite of tools to probe the\nenvironment for weaknesses. It\u2019s effective, but not quite like having a team of\nactual people do it. Hackers and criminals think like people. Computers haven\u2019t\nmastered that (yet).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ok, So Does PCI DSS Require Penetration Testing?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Yes, PCI DSS Requirement 11.3 calls for penetration testing\nto be performed twice per year \u2014 or any time a major change to your environment\noccurs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, before we get any further, there is some nuance to\nthis. Let\u2019s start by defining some terms. Your \u201cenvironment\u201d refers to\nliterally <em>any part of your organization that handles payment card\ninformation<\/em>. Networks, physical terminals \u2014 anywhere that PCI is collected\nor passes through counts as part of your environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Second, PCI penetration testing must be performed both\nexternally and internally. Most <a href=\"https:\/\/www.thesslstore.com\/resources\/what-is-an-asv-vulnerability-scan\/\">vulnerability\nscans<\/a> only handle external surface space; you need to handle your internal\nnetwork, too.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Third, a significant change to your environment is kind of a\ngrey area that largely depends on your own internal calculus. What\u2019s\nsignificant to one company may not be significant to others. But, generally\nthings like OS upgrades, replacing firewalls or critical security devices,\nadding a new payment acceptance process, and moving portions or all of the\nenvironment to a cloud-hosted environment would constitute a significant\nchange.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lastly, this PCI DSS penetration testing requirement doesn\u2019t\napply to everyone. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">So, Who IS Required to Do Penetration Testing?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The PCI DSS requirement that mandates penetration testing\nonly applies to organizations that are service providers. This means that if 1)\nyou store, process, or transmit cardholder data on behalf of someone else, AND 2)\nyou use segmentation for PCI scope reduction, then this requirement affects you.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Segmentation just means the way you structure your network.\nIf you\u2019re segmenting it to protect cardholder data, you\u2019ll need to do bi-annual\npenetration tests.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Again, if you check BOTH of those boxes, then you\u2019re\nrequired to perform a penetration test.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Do Industry Leaders Expect with Penetration Tests? What Are They Actually Requiring?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">PCI DSS is looking for you to evaluate the scope and\neffectiveness of your segmentation controls. The reason it\u2019s twice a year is to\nensure that your segmentation is operating effectively throughout the year. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Again, this penetration testing is more than simply port\nscanning. That\u2019s why many compliance experts advise organizations that can\nafford it to go the manual route and either staff their own or hire out a\ncompetent group of professionals to carry this out.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">And keep in mind, you\u2019re not just doing this for PCI compliance\n\u2014 at least you shouldn\u2019t be. This process will genuinely improve your security,\nwhich better protects cardholder data. And that\u2019s what this is all really about\n(or, at least, it should be). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PCI DSS wasn\u2019t written to be onerous; it was written to protect people by mandating good security. Don\u2019t miss the forest for the trees.<\/p>\n\n\n\n<div class=\"item-bluebox\">\n  <div class=\"bluebox-text\">\n    <p class=\"item-title\">Save 67% on PCI ASV Scanning<\/p>\n    <p class=\"item-text\">Stay compliant with Sectigo&#8217;s HackerGuardian PCI Scanner for only $81.90\/year.<\/p>\n  <\/div>\n  <a href=\"https:\/\/www.thesslstore.com\/sectigo\/hackerguardian\" class=\"button whitelinebutton\">Start Scanning<\/a>\n  <div class=\"clear\"><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In one word? Yes. Requirement 11.3.4.1 of the Payment Card Industry Data Security Standard (PCI DSS) does mandate penetration testing \u2014 but not for everyone. In this article, we\u2019ll discuss penetration testing and who is required by PCI DSS to &hellip; <a href=\"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[115],"tags":[125,124],"class_list":["post-1746","post","type-post","status-publish","format-standard","hentry","category-pci-compliance","tag-pci-dss","tag-penetration-testing"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Does PCI DSS Require PCI Penetration Testing? - The SSL Store<\/title>\n<meta name=\"description\" content=\"The Payment Card Industry Data Security Standards does require PCI penetration testing for some organizations. Not sure if you&#039;re one? Here&#039;s what to know.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Does PCI DSS Require PCI Penetration Testing? - The SSL Store\" \/>\n<meta property=\"og:description\" content=\"The Payment Card Industry Data Security Standards does require PCI penetration testing for some organizations. Not sure if you&#039;re one? Here&#039;s what to know.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/\" \/>\n<meta property=\"og:site_name\" content=\"The SSL Store\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-18T14:55:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-10-18T14:56:20+00:00\" \/>\n<meta name=\"author\" content=\"Casey Crane\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Casey Crane\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/\"},\"author\":{\"name\":\"Casey Crane\",\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/#\\\/schema\\\/person\\\/99aca52ee5df17ce3fcd40454cc7d783\"},\"headline\":\"Does PCI DSS Require PCI Penetration Testing?\",\"datePublished\":\"2019-10-18T14:55:09+00:00\",\"dateModified\":\"2019-10-18T14:56:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/\"},\"wordCount\":734,\"commentCount\":9,\"keywords\":[\"pci dss\",\"penetration testing\"],\"articleSection\":[\"PCI Compliance\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/\",\"url\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/\",\"name\":\"Does PCI DSS Require PCI Penetration Testing? - The SSL Store\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/#website\"},\"datePublished\":\"2019-10-18T14:55:09+00:00\",\"dateModified\":\"2019-10-18T14:56:20+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/#\\\/schema\\\/person\\\/99aca52ee5df17ce3fcd40454cc7d783\"},\"description\":\"The Payment Card Industry Data Security Standards does require PCI penetration testing for some organizations. Not sure if you're one? Here's what to know.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/does-pci-dss-require-pci-penetration-testing\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PCI Compliance\",\"item\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/category\\\/pci-compliance\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Does PCI DSS Require PCI Penetration Testing?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/#website\",\"url\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/\",\"name\":\"The SSL Store\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/#\\\/schema\\\/person\\\/99aca52ee5df17ce3fcd40454cc7d783\",\"name\":\"Casey Crane\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g\",\"caption\":\"Casey Crane\"},\"url\":\"https:\\\/\\\/www.thesslstore.com\\\/resources\\\/author\\\/casey-crane\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Does PCI DSS Require PCI Penetration Testing? - The SSL Store","description":"The Payment Card Industry Data Security Standards does require PCI penetration testing for some organizations. Not sure if you're one? Here's what to know.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/","og_locale":"en_US","og_type":"article","og_title":"Does PCI DSS Require PCI Penetration Testing? - The SSL Store","og_description":"The Payment Card Industry Data Security Standards does require PCI penetration testing for some organizations. Not sure if you're one? Here's what to know.","og_url":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/","og_site_name":"The SSL Store","article_published_time":"2019-10-18T14:55:09+00:00","article_modified_time":"2019-10-18T14:56:20+00:00","author":"Casey Crane","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Casey Crane","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/#article","isPartOf":{"@id":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/"},"author":{"name":"Casey Crane","@id":"https:\/\/www.thesslstore.com\/resources\/#\/schema\/person\/99aca52ee5df17ce3fcd40454cc7d783"},"headline":"Does PCI DSS Require PCI Penetration Testing?","datePublished":"2019-10-18T14:55:09+00:00","dateModified":"2019-10-18T14:56:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/"},"wordCount":734,"commentCount":9,"keywords":["pci dss","penetration testing"],"articleSection":["PCI Compliance"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/","url":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/","name":"Does PCI DSS Require PCI Penetration Testing? - The SSL Store","isPartOf":{"@id":"https:\/\/www.thesslstore.com\/resources\/#website"},"datePublished":"2019-10-18T14:55:09+00:00","dateModified":"2019-10-18T14:56:20+00:00","author":{"@id":"https:\/\/www.thesslstore.com\/resources\/#\/schema\/person\/99aca52ee5df17ce3fcd40454cc7d783"},"description":"The Payment Card Industry Data Security Standards does require PCI penetration testing for some organizations. Not sure if you're one? Here's what to know.","breadcrumb":{"@id":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.thesslstore.com\/resources\/does-pci-dss-require-pci-penetration-testing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/www.thesslstore.com\/resources\/"},{"@type":"ListItem","position":2,"name":"PCI Compliance","item":"https:\/\/www.thesslstore.com\/resources\/category\/pci-compliance\/"},{"@type":"ListItem","position":3,"name":"Does PCI DSS Require PCI Penetration Testing?"}]},{"@type":"WebSite","@id":"https:\/\/www.thesslstore.com\/resources\/#website","url":"https:\/\/www.thesslstore.com\/resources\/","name":"The SSL Store","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.thesslstore.com\/resources\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.thesslstore.com\/resources\/#\/schema\/person\/99aca52ee5df17ce3fcd40454cc7d783","name":"Casey Crane","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c18d819d34a1995e91a4aa7518e9048df7856f336a1ede2262a572db7b1c2506?s=96&d=mm&r=g","caption":"Casey Crane"},"url":"https:\/\/www.thesslstore.com\/resources\/author\/casey-crane\/"}]}},"_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/posts\/1746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/comments?post=1746"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/posts\/1746\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/media?parent=1746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/categories?post=1746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/resources\/wp-json\/wp\/v2\/tags?post=1746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}