thePCI Portal

Pen Testing for PCI v3.2

Whether you outsource or perform your own penetration tests, you should have a documented penetration testing methodology.  This methodology should:

  • Specify a retention period penetration testing results and remediation activities results.
  • Specify coverage for the entire CDE perimeter and critical systems. (referencing your PCI inscope asset list/inventory is probably a good idea.)
  • Specify the frequency of testing (see frequency below).
  • If segmentation is used to isolate the CDE from other networks (as it is in most organizations), the methodology should include penetration-testing procedures to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from systems in the CDE.

When contracting for penetration testing services (internal or external) ask the service provider to include the following services in the agreement:

  • Pen testing to be repeated until noted exploitable vulnerabilities are corrected. (this is not part of most pentester’s default service)
  • include the following information in the report:
    • A description of how their methodology is based on industry-accepted penetration testing approaches (for example, NIST SP800-115).
    • Information about the tester(s) to verify that they are qualified and experienced.
    • A description of application-layer penetration tests performed including, at a minimum, the vulnerabilities listed in PCI DSS Requirement 6.5.
    • A description of network-layer penetration tests for components that support network functions as well as operating systems.
    • A description of how their tests includes consideration of recent threats and vulnerabilities (identified in the last 12 months).
    • A description of how the personnel who perform the penetration tests they are is qualified to perform the tests (not required to be a QSA or ASV).

If an internal resource performs the penetration test, the methodology should specify that the tester has organizational independence from those that have operational or business responsibilities for the components tested (11.3.1.b).


Keep in mind that you will likely be conducting more than one pentest annually.  You have to do one:

  • After any significant internal infrastructure or application upgrade or modification that has occurred during the past 12 months. (after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).)
  • Annually for Merchants. Every 6 months and after any changes to segmentation controls/methods for Service Providers.
  • Repeated until noted exploitable vulnerabilities are corrected.

Ad below this line:

Leave a Reply