If there’s one question in the new PCI DSS 3.0 that’s been generating a lot of conversations between clients and security professionals, it’s Requirement 11.3 which adds some rigor around penetration testing requirements.
“Pen” testing has always been mandated by the DSS, but a loose interpretation of post-test vulnerability management has led to mixed guidance and questions about managing and remediating any security weaknesses that were found.
Requirements 11.3.1 and 11.3.2 direct companies to have a formal method to the pen testing and restates when pen testing must be performed. New requirement 11.3.4 dictates that the pen testing must also validate segmentation. The current penetration testing requirements are fairly self-explanatory and, in the case of 11.3.4, straightforward best practices for any company’s security posture.
However, one bullet of Requirement 11.3 and section 11.3.3 are causing consternation for companies and huddles between QSAs on just how their clients should comply. In particular, what does it mean that testing should “Include review and consideration of threats and vulnerabilities experienced in the last 12 months” and, when looking at 11.3.3 just what constitutes an “exploitable vulnerability?”
Again, it goes back to best practices. A typical closeout to any project includes a “lessons learned” session after successful completion. In an IT environment, it’s helpful and smart to look back a year to see if any lessons can still be learned from the evolution of security since that last test. This shouldn’t be anything revelatory, although some rigor should be applied to any data environment containing sensitive data. Taking a look at how the organization could be breached in an ever-changing security landscape definitely fits the bill.
Your QSA can provide further recommendations and the PCI Security Standards Council has issued additional guidance on the penetration testing requirements.