Internal Penetration Testing
PCI Requirement 11.3.2 requires that organizations perform internal penetration testing at least annually and after any significant upgrade or modification. Internal penetration tests focus on servers, workstations, and other network devices that are within the target environment. The goal is to identify exploitable weaknesses that could allow an attacker to gain access to these systems, ultimately leading to access to sensitive data.
When determining what constitutes a significant change, the PCI DSS guidance states, “The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.”
PCI Requirement 11.3.2 is much the same to PCI Requirement 11.3.1. You need to perform an internal penetration test for your environment. We have already talked about internal and external tests, but these tests need to be performed by qualified, competent staff. The tests also need to be performed annually after any significant changes. Anything that was identified during that test needs to be resolved, and then retests will occur to validate that you have closed out those issues.
From an assessment perspective, we are looking at your penetration testing methodology. We are looking at the results of this, and we are making sure that you have done your internal and external tests. We are also making sure that those individuals who have done these tests are qualified to do so.