fbpx

Security Testing Requirements for PCI-DSS

by | Feb 2, 2023 | PCI-DSS | 0 comments

Security Testing Requirements for PCI-DSS Compliance

Overview

Organizations handling credit card data must adhere to the Payment Card Industry Data Security Standard (PCI DSS). Understanding the specifications and what an organization must do specifically to comply with the standard can be challenging. This article will focus on the penetration testing and vulnerability scanning requirements for PCI DSS compliance and when they apply.

Penetration testing is required for Level 1 PCI DSS compliance. The requirements get a little more complicated when it comes to what is required to submit alongside your SAQ. This article will review the security testing requirements for each merchant level and SAQ type. 

What Types of Security Testing are Required for PCI Compliance?

Before we dive into exactly what is required for each assessment type, first let’s explain what’s involved with each type of security testing.

External Vulnerability Scan

External vulnerability scanning is a security practice that involves using an automated scanner to assess the external-facing network infrastructure, systems, and applications of an organization for potential vulnerabilities. 

To be PCI-compliant, organizations must conduct quarterly scans using an Approved Scanning Vendor (ASV) and their reports must not contain any “medium” or “high” severity rated vulnerabilities.

Internal Vulnerability Scan

An internal vulnerability scan assesses the security of an organization’s internal network infrastructure, systems, and applications. The main objective of internal scanning is to identify vulnerabilities that could be exploited by attackers who have already gained access to the internal network.

An ASV is not required for internal vulnerability scans, but organizations should still conduct them at least every three months.

External Penetration Test

An external penetration test goes further than a vulnerability scan to emulate the role of an attacker attempting to infiltrate the cardholder data environment (CDE) via the exposed external perimeter of the CDE and critical systems connected or accessible to public network infrastructures. Penetration tests are manual processes, where individuals go beyond automated scanning to see if they can infiltrate your environment and gain access to sensitive data. 

An external penetration test is required annually for PCI compliance.

Internal Penetration Test

During an internal penetration test, the tester operates from within the internal network to test various security controls and discover other vulnerabilities that could lead to security issues. The exact testing scope depends on your environment and the specific systems utilized, but the goal is to test your controls and identify any vulnerabilities before attackers do. 

An internal penetration test is required annually for PCI compliance.

Internal Segmentation Validation Test

A segmentation validation test is a type of penetration test that validates that network segmentation is working to isolate the cardholder data environment from other parts of the network. This test typically involves simulating attacks to determine if less secure network segments can communicate with more secure segments leading to vulnerabilities that could allow unauthorized access. 

Security Testing Requirements for Level 1 PCI DSS

If your business processes more than six million transactions annually, it’s likely you need a level 1 PCI audit performed annually by a Qualified Security Assessor. But that’s not all. The security testing requirements for Level 1 include:

  • External Vulnerability Scans (11.2) must be performed by an approved scanning vendor (ASV) at least quarterly and after any significant architectural changes.
  • Internal Vulnerability Scans (11.2) must be performed by a qualified internal resource or independent third-party at least quarterly and after any significant architectural changes.
  • External Penetration Testing (11.3.1), which must be performed by an independent and qualified internal resource or a qualified third-party at least once a year and after any significant architectural changes.
  • Internal Penetration Testing (11.3.1), which must be performed by an independent and qualified internal resource or a qualified third-party at least once a year and after any significant architectural changes.
  • Internal Segmentation Validation Testing (11.3.4), which must be performed every six months and after any significant architectural changes are made.

In addition, you will need to submit proof of security testing to your auditor during your annual evaluation, so be sure to save the results and record any remediation actions taken.

Security Testing Requirements for Levels 2-4 PCI DSS

Things are not as straightforward when it comes to the other merchant levels. Depending on the number of transactions processed, the business risk profile, and the technologies used for payment processing, the type of Self-Assessment Questionnaire (SAQ) will dictate the type of security testing that is required. 

To provide a simple answer, it is not necessary to perform penetration testing for SAQs A, B, B-IP, C-VT, and P2PE. However, some security testing is necessary for SAQs A-EP, C, and D. Let’s take a closer look at the requirements.

SAQ A-EP

This SAQ is employed by online retailers whose websites do not collect cardholder data, but have an impact on the security of payment transactions. The security testing requirements include:

  • External Vulnerability Scans (11.2), which must be performed by an approved scanning vendor at least quarterly and after any significant architectural changes.
  • External Penetration Testing (11.3.1), which must be performed by an independent and qualified internal resource or a qualified third-party at least once a year and after any significant architectural changes. 
  • Internal Segmentation Validation Testing (11.3.4), which must be performed every six months and after any significant architectural changes are made.

SAQ C

This SAQ is used by merchants who do not keep cardholder data on any computer systems and process cardholder data via a point-of-sale system or other payment application system connected to the Internet. Requirements include:

  • External Vulnerability Scans (11.2) must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV).
  • Internal Vulnerability Scans (11.2) must be performed quarterly and after any significant architectural changes by a qualified internal resource or independent third-party.
  • Internal Segmentation Testing (11.3.4) must be performed every six months and after any significant architectural changes.

SAQ D

Organizations that don’t meet the requirements of the other SAQs or that electronically store cardholder data use this SAQ. Requirements include:

  • External Vulnerability Scans (11.2) must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV)
  • Internal Vulnerability Scans (11.2) must be performed quarterly and after any significant architectural changes by a qualified internal resource or independent third-party
  • External Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
  • Internal Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
  • Internal Segmentation Testing (11.3.4) must be performed every six months and after any significant architectural changes.

It’s important to note that the above information is not a comprehensive list of all the testing requirements outlined in the PCI DSS. It is also important to consult the official PCI DSS documentation to ensure compliance with all the requirements.

    Security Testing for PCI Compliance

      SAQ Type
      A
      A-EP
      B
      B-IP
      C-VT
      C
      P2PE
      D
      ASV Scan
      Internal Scan
      Penetration Test

      It’s important to note that the above information is not a comprehensive list of all the security testing requirements outlined in the PCI DSS. It is also important to consult the official PCI DSS documentation to ensure compliance with all the requirements.

      Why Security Testing Is Not a Checkbox

      Even if security testing is not required, it is still a best practice. It’s better to find gaps and vulnerabilities before bad actors do. PCI compliance should not just be about checking a box and moving on. Instead, use it as an opportunity to strengthen your defenses and do the right thing to secure your data.

      Conclusion

      If you have questions about PCI compliance and security testing, TCM Security is here to help. We have a team of QSAs who can help with all your PCI questions, and our team of penetration testers can help you close gaps in your security testing needs. Please contact us to learn more about our intergrated approach to PCI DSS compliance auditing and penetration testing services.

      Heath Adams

      About the Author

      Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.

      Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.

      Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.

      If you are in need of a PCI-DSS assessment, please use the form below to contact us.