What To Do with Exploitable Vulnerabilities
The purpose of penetration testing is to find vulnerabilities before an attacker does; when you find them, those vulnerabilities need to be corrected. PCI Requirement 11.3.3 states, “Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.”
During an assessment, you will provide your assessor with penetration testing results that verify that you found and implemented a solution to exploitable vulnerabilities, and you repeated testing to confirm this.
During the test, your penetration testers will identify any vulnerabilities. It is expected that you resolve those things. It is also required that you keep a copy of that original penetration test for your assessor to review. We’re also going to ask that you perform a retest to validate that after you have gone through your remediation that those particular items have been resolved. It is also required that you perform a secondary penetration test to make sure that any of those vulnerabilities that have been identified as part of that original penetration test have been appropriately resolved and are no longer a vulnerability within your environment.