External Penetration Tests
PCI Requirement 11.3.1 requires that organizations perform external penetration testing at least annually and after any significant upgrade or modification. External penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.
When determining what constitutes a significant change, the PCI Requirement 11.3.1 guidance states, “The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.”
When a penetration test is conducted, it needs to be conducted against your external environment and your internal environment. We are looking from the Internet, trying to get in and, typically from your corporate environment, try to get into the cardholder data environment as well. From an assessment perspective, we’re looking at the results of the penetration test and the subnets of those results. For example, we’re looking at where the test took place and the directions for where the attack happened.