Fortify your defenses

PCI Requirement 11.3 – Implement a Methodology for Penetration Testing

by Randy Bartels / June 5th, 2018

What is Penetration Testing?

They key component of PCI Requirement 11.3 is penetration testing. Who can perform the testing? What’s involved? When should it be performed? PCI Requirement 11.3 outlines the qualities of an effective penetration testing methodology, which include:

  • Based on industry-accepted penetration testing approaches
  • Includes coverage for the entire cardholder data environment perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in PCI Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results.

You may be wondering how penetration testing is different than vulnerability scanning. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Penetration testing is generally a highly manual, active process, where the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. The intent of penetration testing is to simulate real-world attacks against your environment so that you can identify any potential vulnerabilities and see how far an attacker would be able to enter into your environment.

PCI Requirement 11.3 requires that you have a penetration test done. There are several requirements within this that talk about methodologies, using competent staff, who can do it, and how it is performed. At the end of the day, though, the intent behind this particular event is to recreate real-world attacks against your environment, so that we can identify any vulnerabilities that might be exposed to the environment.

Part of PCI Requirement 11.3 is that you have a documented methodology. This methodology is something that your assessor is going to be asking for. It is a document that is your methodology about how to perform a penetration test in your environment. If you outsource your penetration testing to a third party, and you tell your assessor that you use company X’s penetration testing methodology, that is insufficient. The processes that this should go through is defining a methodology that says, “When you perform a penetration test in my environment, this is how we expect it to be done. These are the merits by which we conduct our tests, these are the things that we do, and this is what we consider a successful test.” When you go to your penetration testers, you are to provide that methodology to them, and they are supposed to create a statement of work based on that. They are also supposed to execute the test based on your penetration testing methodology.

If you have questions about the penetration testing methodology, KirkpatrickPrice has a template that we can provide you to help you put that together. Please feel free to get ahold of your assessor and they’ll be happy to help you out with that document.