PCI Requirement 11.3.3 – Exploitable Vulnerabilities Found During Penetration Testing are Corrected and Testing is Repeated

PCI Requirement 11.3.3 – Exploitable Vulnerabilities Found During Penetration Testing are Corrected and Testing is Repeated

What To Do with Exploitable Vulnerabilities

The purpose of penetration testing is to find vulnerabilities before an attacker does; when you find them, those vulnerabilities need to be corrected. PCI Requirement 11.3.3 states, “Exploitable vulnerabilities found during penetration testing are corrected, and testing is repeated to verify the corrections.”

During an assessment, you will provide your assessor with penetration testing results that verify that you found and implemented a solution to exploitable vulnerabilities, and you repeated testing to confirm this.

Video Transcript

During the test, your penetration testers will identify any vulnerabilities. It is expected that you resolve those things. It is also required that you keep a copy of that original penetration test for your assessor to review. We’re also going to ask that you perform a retest to validate that after you have gone through your remediation that those particular items have been resolved. It is also required that you perform a secondary penetration test to make sure that any of those vulnerabilities that have been identified as part of that original penetration test have been appropriately resolved and are no longer a vulnerability within your environment.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *