Have you thought about how ready your organisation is to tackle the penetration testing requirements in PCI DSS v4.0.1?
In Part 1 of this series, we laid the groundwork for understanding PCI DSS (Payment Card Industry Data Security Industry) compliance and introduced Requirement 11.4. This focuses on the vital role penetration testing plays in keeping your Cardholder Data Environment (CDE) secure.
Now, in Part 2, we’re going a step further. We’ll break down each section of Requirement 11.4, showing you exactly what’s needed to meet compliance with confidence. Our aim? To make these requirements easy to understand and give you clear steps to follow so your organisation is always one step ahead.
Let’s jump back in!
What are the Penetration Testing requirements for PCI DSS?
The Penetration Testing Requirements: In our previous blog we delved into section 11.4, we will be taking a look at the remaining requirements that cover penetration compliance for Payment Card Industry Data Security Standard (PCI DSS) compliance.
Requirement: 11.4.2 Internal Penetration Testing For PCI:
This involves testing your organisation’s networks, systems, and applications that operate behind the scenes. The goal is to ensure that your internal infrastructure is secure—not just against potential insider threats, but also against hackers who manage to gain access to your systems.
Requirement: 11.4.3 External PCI DSS Penetration Testing
You will need to focus on external penetration testing. This ensures that any networks, servers, and applications exposed to the public are thoroughly evaluated for vulnerabilities.
Specific Requirements for Internal and External PCI Compliance Penetration Testing
To meet compliance, there are clear rules for how internal and external penetration testing should be conducted:
- Internal and External Penetration Testing must:
- Be conducted at least once every 12 months.
- Occur following any major upgrade or modification of infrastructure or applications.
- Be carried out by a qualified internal resource or an external third-party tester.
- Ensure organisational independence of the tester (they don’t need to be a QSA or ASV, but they must remain impartial).
- These requirements are designed to ensure that your penetration testing is consistent, thorough, and effective at identifying risks before they become problems.
Requirement 11.4.4: Addressing Vulnerabilities Found in PCI Penetration Testing
So, what happens when a penetration test uncovers vulnerabilities or security weaknesses? That’s where Requirement 11.4.4 comes in. This section focuses on how organisations should handle these issues and ensure they’re properly resolved. While it’s a short requirement, it’s a critical one—getting this right is essential for achieving compliance.
Here’s what you need to know:
- Vulnerabilities need to be addressed in line with your organisation’s risk assessment (as outlined in Requirement 6.3.1, which we’ll cover shortly).
- Once the corrections are made, penetration testing must be repeated to verify that the vulnerabilities have been properly fixed.
Requirement 6.3.1: Managing Vulnerabilities the Right Way
This requirement is all about ensuring vulnerabilities are handled systematically and effectively. Here are the key steps involved:
- The tester should follow the steps outlined in Requirement 6.3.1 to ensure the issue is properly prioritised and resolved. Once fixes are in place, the penetration test must be repeated to confirm everything has been corrected.
Requirement 11.4.5: Network Segmentation Testing For PCI Compliance
In Part 1 of this series, we talked about the Cardholder Data Environment (CDE) as the heart of your customer’s payment information. It’s where sensitive data is stored, processed, and transmitted. This information is not only valuable to your business and your customers but also a prime target for hackers looking to exploit it.
So, how can you better protect it? By segmenting your network.
Network segmentation testing involves separating the CDE from the rest of your organisation’s systems. This creates a secure “bubble” around your sensitive data, reducing the number of systems and devices that fall under the scope of PCI DSS compliance. In other words, you’re limiting what needs to meet compliance requirements, which makes managing security more straightforward and effective.
- But here’s the key: segmentation is only as good as the testing behind it. That’s why segment testing is so important for compliance. Requirement 11.4.5 ensures the CDE is thoroughly assessed to confirm it’s both secure and isolated as intended. This step is vital for protecting cardholder and financial information while demonstrating that your organisation meets PCI DSS standards.
The Requirements You Need To Know About
If your organisation uses segmentation to isolate the Cardholder Data Environment (CDE), it’s essential to ensure those segmentation controls are tested regularly. Here’s what you need to know to stay compliant:
- Organisational independence of the tester exists
Requirement 11.4.6: Additional Requirements for Service Providers
If your organisation uses a service provider, there’s an extra layer of responsibility to consider when it comes to compliance with Requirement 11.4.6.
What Is a Service Provider?
Service providers are organisations that handle cardholder data or provide critical services that could impact the security of your Cardholder Data Environment (CDE). Some common examples include:
- Payment processors
- Hosting providers
- Managed IT services
- Cloud storage providers
- Data centres
Why Are Service Providers Held to a Higher Standard?
When you work with a service provider, you’re trusting them with sensitive data or systems. Because service providers often manage multiple clients’ data or critical infrastructure, they’re held to a higher standard in PCI DSS compliance. This means their penetration testing requirements are more rigorous to ensure the security of all their clients’ environments.
What Does 11.4.6 Require?
The requirements for service providers are similar to those for organisations managing their own cardholder data (requirement 11.4.5), but with one key difference: frequency.
- Penetration tests must be conducted at least once every six months.
Navigating PCI DSS Compliance UK Pen Testing: How We Can Help
The PCI DSS requirements, especially those around penetration testing, can feel overwhelming at first. But breaking them down into manageable steps, as we’ve done in this blog series, can make all the difference. By understanding the specifics of Requirement 11.4 and its sub-sections, you’re well on your way to ensuring your organisation is both compliant and secure.
Still have questions or need expert guidance? Our team of highly skilled penetration testers is here to help. Whether you’re navigating PCI DSS compliance or simply want to strengthen your overall security posture, we’re here to provide the support you need.
We also offer a free 30-minute consultation to answer any questions you might have and help you get started. Don’t hesitate to reach out to us at 0121 663 0055 or email us at enquiries@equilibrium-security.co.uk.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
