Question: In version 3.0 it states I need to complete penetration testing. In version 2.0 it was recommended and because of our business being 24 hours, we had an acceptable work around. I am being told that the penetration test is a MUST for 3.0?
Answer: Penetration testing is a must for version 3.0. The PCI DSS does indeed require all merchants conduct penetration testing to ensure the security of their cardholder data environments. While penetration testing is not a new requirement in PCI DSS 3.0, there have been some clarifications which resulted in some additional requirements regarding penetration testing.
Here are some of the key changes with regard to penetration testing:
- A penetration testing methodology must be implemented and based upon an industry accepted model such as NIST SP 800-115;
- Testing must cover both application and network layer threats to determine vulnerabilities;
- Penetration testing must be conducted from both internal and external perspective on an annual basis and after any significant change in the network infrastructure or applications; and
- Any exploitable vulnerabilities discovered during the pen tests must be addressed and retested to ensure they were resolved.
While most of version 3.0 goes into effect beginning 2015, section 11.3 which covers penetration testing is not effective until July 15, 2015. So until that date, you can continue to follow version 2.0 guidelines for penetration testing.
Following are a couple of PCI Compliance Guide posts you may also find helpful:
March 26, 2015 UPDATE: The PCI Security Standards Council has issued a new Penetration Testing Guidance document. You can access the document here: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf.