What is PCI/DSS v3.0 Standards and why should penetration testers care?

PCI stands for Payment Card Industry and DSS stands for Data Security Standards.


We need to care about these standards as they affect at least three major business verticals like


  Merchants

  Financial Institutions



  Hardware/Software for merchants, financial industry etc


We now have updated PCI DSS version 3.0 standards located on the PCI website at
https://www.pcisecuritystandards.org/with increasing focus on penetration testing.

What’s changed in PCI/DSS standards v3.0 for pen testing?

Pen testing methodology is covered in section 11.3 which is new. It also states that pen testing should be according to NIST 800-115 standards. NIST 800-115 is just a framework for pen testing and we can remove parts which are not applicable for your customers. 

We need to test both from inside and outside the network. We also need to test to validate that the customer has segment their network and this network segmentation will reduce the scope of security controls applied to the network. The section also outlines we need to include application layer pen test at least check for vulnerabilities. 

New Sections

11.3.1 External pen test (To be performed annually. This test simulates an external hacker)

11.3.2 Internal pen test (To be performed annually. This test checks for internal rogue employee) actions.) 

11.3.3 Remediation & Retesting (Any exploitable vulnerabilities found during pen testing are corrected and tested to ensure the problem has been corrected.)

11.3.4 Segmentation Testing - Test the client's network is adequately segmented and appropriate security controls are applied on the network segment and this would also reduce the scope of network security controls applied on any particular network segment. 


When do the vendors need to comply?
Vendors need to comply with PCI 3.0 by end of the year 2014 and they have until end of June 2015 to comply with section 11.3 of PCI 3.0 which should give vendors and pen testers enough time to get ready!