Penetration Testing and Vulnerability Scanning Requirements for PCI DSS

Request a quote
01 Jul, 2020

Penetration Testing and Vulnerability Scanning Requirements for PCI DSS

Penetration testing and vulnerability scanning exercises have become standard practices for modern-day enterprises. In our latest series of blog posts, we are discussing how these exercises meet the compliance requirements of various standards, laws, and regulations. We discussed penetration testing and vulnerability scanning controls in ISO 27001:2013 here. In this article, we will be focusing on PCI DSS.

Overview of PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standards. The Payment Card Industry Security Standards Council (PCI SSC) launched the first version of the PCI DSS framework in December 2004. The latest version (v 3.2.1) was released in May 2018. This framework prescribes a total of 12 requirements that cover network security, cardholder data, vulnerability management, access control, network monitoring, penetration testing, and information security. While PCI DSS compliance is not mandated by law, it is a well-accepted industry standard that helps an enterprise build customer relationships and trust. PCI DSS is one of the few information security standards or laws that expressly mention vulnerability scanning and penetration testing in their requirements.

PCI DSS Requirements

While Requirement 5 deals with maintaining a vulnerability management program, it mainly focuses on the installation of anti-virus software. For the purpose of our discussion here, Requirement 11.2 and 11.3 are relevant. The former talks about vulnerability scans, while the latter describes penetration testing.

1.     Requirement 11.2: Vulnerability Scanning

This requirement states that internal and external vulnerability scans must be performed quarterly and whenever any significant change occurs in the network. The scope of “significant change” includes network topology changes, firewall rule modifications, installation of new system components, product upgrades, etc.

The guidance available for this requirement specifies that there can be three types of vulnerability scanning for PCI DSS:

  1. Internal scanning (quarterly but does not require Approved Scanning Vendor (ASV))
  2. External scanning (quarterly and requires ASV)
  3. Internal and external scanning when significant changes have taken place

Once vulnerabilities are identified, your organization is expected to address them and perform re-scans until all the identified vulnerabilities have been mitigated.

Requirement 11.2.1 lays a specific focus on high-risk vulnerabilities. An organization is obligated to perform four vulnerability scans in a calendar year. After each vulnerability scan, a re-scan should be performed to verify that all high-risk vulnerabilities have been addressed necessarily. Requirement 11.2.2 has similar expectations, but for external scans conducted by the selected ASV.

2.     Requirement 11.3: Penetration Testing

According to PCI DSS, an ideal penetration testing methodology should have the following features:

  1. Based on industry-accepted approaches such as NIST SP800-115
  2. Covers entire cardholder data environment (CDE) and critical systems
  3. Includes internal as well as external testing
  4. Incorporates testing exercises for validating segmentation and other scope-reduction controls
  5. Covers application-layer and network-layer penetration tests
  6. Reviews and considers vulnerabilities and threats discovered in the last 12 months
  7. Suggests appropriate measures to remediate the discovered vulnerabilities

This requirement’s guidance also demarcates the difference between penetration testing and vulnerability scanning. According to PCI DSS, penetration testing is a simulated exercise to identify potential exposure if one or more vulnerabilities are successfully exploited. Vulnerability scanning is a mostly automated process, while penetration testing is mostly manual. Penetration testing focusses on the exploitation of vulnerabilities, while vulnerability scanning aims to identify vulnerabilities present in the system. This standard also specifies that a vulnerability scan may serve as the first step in a penetration testing exercise. Besides, it recognizes the fact that penetration testing techniques will differ from one organization to another depending on complexity, type, depth, technical environment, and risk assessment.

Requirements 11.3.1 and 11.3.2 prescribe a minimum frequency of annual penetration tests, external as well as internal. While there is no requirement of ASV, an organization should also conduct a penetration test when there is a significant change in the infrastructure or application. Here, the scope of “significant” change includes adding a sub-network, upgrading the operating system, adding a web server, etc. Just like vulnerability scans, retests must be performed to verify that exploitable vulnerabilities are corrected.

Apart from these requirements, Requirement 11.3.4 requires an organization to conduct penetration tests for network segmentation where CDE is isolated from other networks. The prescribed frequency is annually, or when any changes to segmentation controls or methods are implemented.

Conclusion

PCI DSS is very explicit about the requirements to be fulfilled. However, before you decide on conducting vulnerability scanning and penetration testing for your organization, you may not be mandatorily required if you fall under the following categories:

  1. Merchants who outsource their entire card data processing to PCI DSS compliant third parties.
  2. Merchants who do not receive cardholder data, but they control the method which redirects to a third-party payment service provider.
  3. Merchants who do not store cardholder data but use IP-based point of contact devices.
  4. Merchants who process cardholder data through a virtual payment terminal.
  5. Merchants who rely on point-to-point encryption.

If your organization falls into any of these categories, you must check the Self-Assessment Questionnaires available on the PCI DSS website. Irrespective of whether PCI DSS requires or not, we would still recommend you to regularly conduct vulnerability scans and penetration tests as a part of your organization’s overall security strategy. BreachLock provides end-to-end PCI DSS coverage for security testing for our clients. Click here to get in touch with our experts today.