Penetration Testing and PCI Compliance
One area where merchants and software providers struggle with PCI compliance relates to PCI DSS Requirement 11. Here’s a breakdown of the requirement.
PCI DSS Requirement 11 is comprised of seven sub-requirements and 14 testing procedures. It mandates that any business handling credit cards “regularly test security systems and processes,” a requirement that is intended to secure the network environment in which most merchants and software providers operate.
Some of the sub-requirements contained within PCI DSS Requirement 11 require validation by a Payment Card Industry Security Standards Council Approved Scanning Vendor (ASV). Others, like sub-requirement 11.3, require no validation by an ASV or Qualified Security Advisor (QSA). Sub-requirement 11.3 can be met using a “qualified internal resource,” leaving merchants and software vendors free to go it alone.
A closer look at PCI DSS Requirement 11.3 reveals that it requires businesses:
“Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).”
Such penetration testing, also referred to as ethical hacking (or in some cases white hat hacking) is a PCI DSS requirement mandated by sub-requirement 11.3 (and clarified by PCI SSC in supplemental information).
The reality is that many small businesses do not have a “qualified internal resource.” Among merchants especially, many businesses end up paying an external third party to perform penetration tests.
As with any security standard, of course, performing more diligence than the minimum requirements is generally the best way to stay digitally secure. This is why we perform multiple penetration tests instead of merely the one required by PCI DSS to our entire network every year.
Related Element Payment Services Pages: