Being a QSAC (Qualified Safety Assessment Company), our clients often ask if they can achieve the requirements of ongoing PCI penetration testing within the company. This depends on several variables.
Organizational requirements for conducting annual external and internal penetration tests which also include application testing are covered by PCI DSS 11.3 requirements. This differs from PCI DSS 11.2 requirements which relate to the organization’s requirements to run internal and external vulnerability scans every quarter, which must be run internally or by the respective ASV (Approved Scanning Vendor).
Each of these activities must also be carried out when changes occur in the application, which includes improvements, network, and organizational infrastructure, or at mandated intervals.
From a technical perspective there are major differences in these requirements as well. To determine the magnitude of problems and the full business impact, penetration tests try to take advantage of vulnerabilities by exploiting them, while the problems recorded are only identified and reported by vulnerability assessments. Penetration testing should include application layer testing, and be more manual and comprehensive than vulnerability scanning.
Annual penetration tests do not need to be carried out by parties outside the organization in accordance with the guidance provided by PCI SSC. However, testing needs to be completed by a qualified person, organizationally separate from the management of the system being tested. All locations within the scope must be included in the penetration test, and the test must match the size and complexity of the organization. The results of the black box or white box penetration test approach must be documented, with all systems and networks in the cardholder data environment included in the test scope. Smaller organizations that only have limited resources can have difficulty demonstrating their compliance with these requirements.
Outsourcing these requirements to organizations that can provide comprehensive independent …