PCI Requirement 11.3.3 – Exploitable Vulnerabilities Found During Penetration Testing are Corrected and Testing is Repeated

by Randy Bartels / December 16, 2022

 What To Do with Exploitable Vulnerabilities The purpose of penetration testing is to find vulnerabilities before an attacker does; when you find them, those vulnerabilities need to be corrected. PCI Requirement 11.3.3 states, “Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.” During an assessment, you will provide your assessor with penetration testing results that verify that you found and implemented a…

PCI Requirement 11.3.2 – Perform Internal Penetration Testing at Least Annually

by Randy Bartels / December 16, 2022

 Internal Penetration Testing PCI Requirement 11.3.2 requires that organizations perform internal penetration testing at least annually and after any significant upgrade or modification. Internal penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data. When determining what constitutes…

PCI Requirement 11.3.1 – Perform External Penetration Testing at Least Annually

by Randy Bartels / December 16, 2022

 External Penetration Tests PCI Requirement 11.3.1 requires that organizations perform external penetration testing at least annually and after any significant upgrade or modification. External penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data. When determining what constitutes…

Fortify your defenses

PCI Requirement 11.3 – Implement a Methodology for Penetration Testing

by Randy Bartels / December 16, 2022

 What is Penetration Testing? They key component of PCI Requirement 11.3 is penetration testing. Who can perform the testing? What’s involved? When should it be performed? PCI Requirement 11.3 outlines the qualities of an effective penetration testing methodology, which include: Based on industry-accepted penetration testing approaches Includes coverage for the entire cardholder data environment perimeter and critical systems Includes testing from both inside and outside the network Includes testing…

PCI Requirement 11.2.3 – Perform Internal and External Scans, and Rescans as Needed, After Any Significant Change

by Randy Bartels / December 16, 2022

 Significant Changes in Your Cardholder Data Environment PCI Requirement 11.2.3 requires that any time that you have made a significant change in your environment, whether it be internal or external, you run a vulnerability scan. A significant change could be something like new system component installations, changes in network topology, firewall rule modifications, or product upgrades, but what constitutes a significant change depends on the configuration of your environment.…