05.06.2024
The payment card industry has always attracted the attention of hackers. Therefore, this area requires more attention when it comes to cyber defence.
On 31 March 2022, the Payment Card Industry Security Standards Council (PCI SSC) published an updated version of the PCI DSS 4.0 standard. The previous version of the PCI DSS 3.2.1 standard expired after 31 March 2024, and PCI DSS 4.0 is already in force.
In this article, we will consider only those requirements that relate to the penetration test (pentest).

Do I need to perform a pentest to meet PCI DSS requirements?

Penetration tests should be conducted regularly – this is one of the requirements for PCI DSS certification. In accordance with requirement 11.4, external and internal penetration tests should be conducted every 12 months or after significant changes in the information system.
These requirements also establish segmentation testing checks that go beyond most standard penetration tests. Requirement 11.4 clearly states that companies must define, document and implement a penetration testing methodology that includes:
● industry-accepted approaches to penetration testing;● coverage of the entire perimeter of the cardholder data environment (CDE) and critical systems;● testing the internal and external network;● testing to validate any segmentation controls;● penetration testing at the application level to identify at least the vulnerabilities listed in requirement 6.2.4;● network layer penetration tests covering all components that support network functions, as well as operating systems;● reviewing and addressing threats and vulnerabilities that have emerged over the past 12 months;● documented approaches to assessing and addressing the risk posed by operational vulnerabilities identified during penetration testing;● retention of penetration test results and the results of remediation measures for 12 months.
Service providers are required to conduct a pentest every six months and in the event of significant changes in the system. But what is meant by a ‘significant change’?
The concept of ‘significant change’ requires a more in-depth read, so PCI DSS 4.0 provides several specific examples. Understanding that each company is unique and that each certification requires an individual approach on the part of company representatives and auditors, we have created a convenient schedule for conducting pentests that corresponds to the schedule of changes in IT infrastructure.
Below are some examples of significant changes that require further verification through penetration testing:
● adding any new hardware, software or network equipment;● upgrading or replacing hardware and software;● changes that influence the flow or storage of cardholder data;● changes that affect the CDE boundaries or the scope of your PCI DSS assessment;● changes in the supporting infrastructure, such as directory services, monitoring and logging;● any changes to third-party vendors or services that support CDE.

Requirements for PCI vulnerability scanning

Vulnerability scanning is considered an important element of PCI DSS requirements. Requirement 11.2 provides the following information: Conduct internal and external network vulnerability scans every quarter, especially after any significant network changes. Eliminate the identified vulnerabilities and, if necessary, repeat the scan until it is successful.
One important requirement of the PCI DSS is to conduct vulnerability scanning. Requirement 11.2 imposes internal and external network scanning every three months, especially after any significant changes in the network. Identified vulnerabilities should be addressed and, if necessary, scanning should be repeated until a successful result is achieved.
After successfully passing the first PCI DSS scan, the company must conduct four more scans over the next year. External scanning should take place every quarter using a qualified specialist from a specialist company. These scans must be performed after any changes are made to the network. Internal scanning can be performed by the company’s own staff.

Penetration testing methodology

Requirement 11.4.1 addresses the approaches to be taken by professionals when conducting penetration tests, stating that methodologies emulating malicious attacks accepted in the relevant industry should be used. It is important to note that automated scanning is not considered sufficient to meet this requirement.

Who should conduct a PCI pentest?

Penetration testing for PCI DSS compliance should be performed by:
1. a skilled internal resource with the appropriate knowledge and skills to perform the penetration test thoroughly and properly;2. a qualified third-party security service provider with relevant experience and certifications.
PCI DSS 4.0 even provides guidance on selecting an external third party to work with PCI pentest in the Good Practices section of requirement 11. The PCI SSC recommends looking for a vendor with specific penetration testing certifications, which can help verify the tester’s skill level and competence.

We also recommend that you choose penetration test vendors with experience in PCI DSS compliance. When evaluating candidates, you should pay attention to their experience, the type and scope of projects they have previously completed, and other factors. It’s important to ensure that your vendor’s expertise matches your needs for ongoing and uninterrupted PCI DSS compliance.

Based on our many years of experience, we recommend engaging external vendors to perform pentesting. This will allow you to perform all the necessary tasks efficiently and professionally.

What are the requirements for internal and external testing?

DSS 11.4.2 and 11.4.3 require internal and external penetration testing. Testing can be carried out by either a PCI-certified company or an independent service provider, but high qualifications are mandatory. Previous experience and industry certificates are taken into account.
Requirement 11.4.1 states that internal testing of the (CDE) is required, and many organisations have not performed this type of work in the past.
Internal and external testing of the entire CDE is required. Penetration testing is therefore increasing in scope, including network and application penetration testing, and will need to be scalable to meet the requirements of PCI DSS 4.0. Any digital environment connected to the CDE, including network, cloud, and hybrid environments, as well as applications such as APIs and web applications, will need to be included in the PCI DSS 4.0 compliance pentest.

How often do you need to conduct penetration testing to comply with the PCI DSS?

Penetration testing should be performed at least once every 12 months in accordance with requirement 11.4 and in the event of any significant infrastructure or application level upgrade or change. This is not only a mandatory requirement – it is considered best practice for all companies that care about cyber defence. Including penetration testing in the software development life-cycle (SDLC) can prevent a number of problems.

PCI DSS also requires repeated penetration testing to ensure that exploitable vulnerabilities have been properly addressed and no longer pose a threat to CDEs.

What do you need to know about segmentation testing?

Segmentation testing is one of the components of penetration testing that is conducted to obtain PCI DSS certification.
DSS requirement 11.4.5 obliges testers to confirm that network segmentation is properly implemented. The purpose of this requirement is to ensure that the controls are capable of effectively isolating the CDE from other systems outside of it. To meet this requirement, a series of scans is typically conducted from each network segment.
Paragraph 11.4.6 states that a review of segmentation should be conducted every six months, not annually.

Conducting a pentest to pass a PCI DSS 4.0 audit

Our skilled and experienced team offers a wide range of penetration testing services for businesses of all sizes looking to prepare for PCI DSS 4.0 compliance.
In addition, we also recommend taking into account our comprehensive approach to PCI DSS certification, which includes not only a pentest, but other necessary services.