PCI DSS and Penetration Testing
Requirement 11 of the PCI DSS covers the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks.
“Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.” - PCI DSS
Regular testing is fundamental to ensuring that an organisation is prepared for the full range of attack types that companies have to face.
PCI DSS testing requirements
IT Governance provides all of the scanning, assessment and penetration testing requirements for PCI DSS compliance. We uniquely offer a combination of fixed-price and bespoke testing solutions, enabling you to choose the right option for your needs and budget.
Which penetration test do you need?
The PCI DSS sets out the following requirements for merchants and service providers:
|
PCI DSS compliance requirements |
Req 11.1
|
Req 11.2.1
|
Req 11.2.2
|
Req 11.2.3
|
Req 11.3.1
|
Req 11.3.2
|
Req 11.3.3
|
Req 11.3.4
|
Req 11.3.4.1
|
|
Rogue wireless access point detection
|
Quarterly internal
vulnerability
scanning
|
Quarterly ASV scans
|
Internal and external
vulnerability
scanning conducted
after changes
|
Annual external
penetration test
|
Annual internal
penetration test
|
Internal and external
penetration test
conducted after
changes
|
Annual internal
penetration test to
prove segmentation
|
Service providers Bi‐annual internal penetration test to prove segmentation (best practice until
2018)
|
|
Relevant IT Governance penetration test |
Wireless |
Infrastructure and web application |
ASV vulnerability scan |
Infrastructure and web application |
Infrastructure and web application |
Infrastructure and web application |
Infrastructure and web application |
Infrastructure and web application |
Infrastructure and web application |
|
Relevant test level
|
-
|
Level 1
|
-
|
Level 1
|
Level 2
|
Level 2
|
Level 2
|
Level 2
|
Level 2
|
|
SAQ A
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
SAQ A-EP
|
-
|
Yes
|
Yes
|
Yes
|
Yes
|
-
|
Yes
|
If segmentation used
|
-
|
|
SAQ B
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
|
SAQ B-IP
|
-
|
-
|
Yes
|
-
|
-
|
-
|
-
|
If segmentation used
|
-
|
|
SAQ C
|
Yes or alternative means
|
Yes
|
Yes
|
Yes
|
-
|
-
|
-
|
If segmentation used
|
-
|
|
SAQ C-VT
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
If segmentation used
|
-
|
|
SAQ D(m)
|
Yes or use a web application firewall
|
Yes or alternative means
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
If segmentation used
|
-
|
|
SAQ D(s)
|
Yes or use a web application firewall
|
Yes or alternative means
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
-
|
If segmentation used
|
|
SAQ P2PE
|
-
|
-
|
-
|
-
|
-
|
-
|
-
|
If segmentation used
|
-
|
|
RoC(m)
|
Yes or use a web application firewall
|
Yes or alternative means
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
If segmentation used
|
-
|
|
RoC(s)
|
Yes or use a web application firewall
|
Yes or alternative means
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
-
|
If segmentation used
|
For further guidance on the different types of penetration tests, please see our information page explaining the levels of penetration tests >>
IT Governance is an approved QSA provider and CREST-accredited penetration testing provider with extensive experience and a solid track record.
Why use IT Governance?
-
Easily select the solution appropriate to your needs and budget from a range of fixed-price and bespoke options.
-
Rest assured in the knowledge that the work will be carried out to rigorous standards as mandated by CREST, of which IT Governance is a member, by qualified and knowledgeable individuals.
-
IT Governance is an approved PCI QSA company, which means we meet and exceed the business and technical requirements as specified by the PCI SSC.
-
Benefit from our extensive expertise in PCI and ISO 27001, which means we can help you cost-effectively integrate your ISMS with other security frameworks.
-
Take advantage of a vast range of PCI documentation toolkits, guides, publications, training and staff awareness courses that will help you build your knowledge and maintain compliance with the Standard.
-
Our independent and unbiased advice means we are not affiliated with software providers, and we leverage your existing technology where possible.
Choose a penetration test suitable for your PCI compliance requirements now.