PCI DSS Requirement 11.3 requires internal and external penetration testing, either semiannually or annually, depending on the classification of the entity. A penetration test must also be conducted after any significant change is made to the network. Pointe Solutions offers penetration testing that meets all of the requirements for PCI certification.
Per the PCI standards, the penetration testing used for certification must be based on an industry-accepted methodology for example, NIST SP 800-115 — and include the following criteria:
- Testing must include the entire cardholder data environment perimeter and critical systems.
- Testing must be performed both inside and outside of the network.
- Testing must utilize manual testing techniques and not just automated scanning.
- Testing must validate any network segmentation and scope-reduction controls.
- Application-layer testing must include, at a minimum, the vulnerabilities listed in the current Open Web Application Security Project (OWASP) top ten.
- Network-layer testing includes components that support network functions as well as operating systems.
- Includes new threats and vulnerabilities experienced in the last 12 months.