Does PCI DSS v4.0 require a pen test?

PCI version 4.0 was released in March 2022, and all organizations that must be compliant with the regulation have a deadline of March 31, 2024 to do so. So, what does the new version say about pen testing?

According to Requirement 11 of the Payment Card Industry Data Security Standard (PCI DSS), pen testing is required for organizations and entities that store, process, and/or transmit cardholder data.

PCI requires a pen test and vulnerability scanning to keep systems secure and protect payment cardholder data. If your organization is a payment card service provider, then you will be required to perform a PCI pen test twice a year, and a vulnerability scan four times a year. Additionally, organizations that have business-critical web applications that process payment card information may also be required to run additional tests and scans when any significant changes are made to the system.

So, what are the PCI DSS pen testing and vulnerability scanning requirements? Let’s discuss everything you need to know so that you can stay compliant, and keep your data secure.

PCI pen test vs PCI vulnerability scan

A PCI pen test is a type of security assessment that is designed to address vulnerabilities across the cardholder data environment (CDE) on a biannual basis. This includes network, infrastructure, and applications found inside and outside the organization’s environment.

On the other hand, a PCI vulnerability scan is a high-level test that automatically looks for potential vulnerabilities and reports them according to their level of severity. External IPs and domains that are exposed in the CDE have to be scanned by a PCI-approved scanning vendor at least once per quarter.

Both provide organizations with an assessment of how secure their CDE is, and help them remain compliant with the standard.

Difference between PCI pen test and PCI vulnerability scan

A vulnerability scan identifies and ranks vulnerabilities that could compromise an organization’s system, while a pen test exploits those vulnerabilities to test the resilience of the security measures in place.

There are also differences in how these tests are typically carried out. Vulnerability scans (scanners) are made up of various automated tools that must be verified manually. But pentesting is a manual process that sometimes incorporates automated tools to exploit vulnerabilities in the system and create reports.

The reports generated from a pen test will have a detailed description of the vulnerabilities and issues that were discovered including the risks that they pose to cardholder data. Reports from a vulnerability scan provide a ranked list of known vulnerabilities depending on their level of severity.

Finally, the last key difference between the two is the length of time it takes to complete each one. Vulnerability scans take only a few minutes to complete, while penetration testing may last days or weeks depending on the scope of an organization’s CDE.

PCI pen testing requirements

PCI DSS outlines specific requirements for companies that are required to run regular PCI pen tests and PCI vulnerability scans. System components, including custom software and processes, must be tested frequently to maintain the integrity of cardholder data over time, especially when changes are introduced to the system.

In the new version of the PCI DSS, the 11.3 requirements have moved to 11.4, but have remained relatively unchanged. The requirements state that companies must define, document, and implement a penetration testing methodology that includes:

  • Industry-accepted penetration testing approaches,
  • Coverage for the CDE and critical systems,
  • External and internal testing,
  • Testing to validate any segmentation and scope reduction controls,
  • Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in requirement 6.2.4
  • Network-layer penetration tests that encompass all components that support network functions as well as operating systems,
  • Reviews and considerations of threats and vulnerabilities experienced in the last 12 months,
  • Documented approaches to assessing and addressing the risk posed by exploitable vulnerabilities found during penetration testing,
  • Retention of penetration testing results and remediation activities results for 12 months.

PCI pen tests must occur every six months for service providers and whenever significant changes are made to the system. But what constitutes a “significant change”? Some examples of significant changes that would require a subsequent pen test include:

  • The addition of any new hardware, software, or networking equipment
  • Upgrading or replacing hardware and software.
  • Changes that affect the flow or storage of cardholder data.
  • Changes that affect the boundary of the CDE or the scope of your PCI DSS assessment.
  • Changes to supporting infrastructure like directory services, monitoring, and logging.
  • Any changes to third-party vendors or services that support the CDE.

PCI vulnerability scanning requirements

Vulnerability scanning is a crucial component of the PCI DSS requirements. Requirement 11.2 states that organizations must:

“Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. Address vulnerabilities and perform rescans as needed until passing scans are achieved. After passing a scan for initial PCI DSS compliance, an entity must, in subsequent years, complete four consecutive quarters of passing scans. Quarterly external scans must be performed by an Approved Scanning Vendor. Scans are conducted after network changes, and internal scans may be performed by internal staff.”

In short, oorganizations must perform internal and external PCI vulnerability scans every 90 days and must continue to rescan until a passing scan result.

What is a passing scan? Internal scans can’t have any high-risk vulnerabilities in the environment where cardholder data is stored and processed. External scans must be free of vulnerabilities that are assigned a CVSS base score of 4.0 or higher. Only scans with a severity level result of 0.0 to 3.9 constitute a passing score.

Protect cardholder data and meet the PCI requirements

Pen testing and vulnerability scanning is necessary for PCI DSS compliance, and an effective way of minimizing vulnerabilities on systems that process sensitive data. Outpost24 is an Approved Scanning Vendor (ASV) and can help organizations verify and prove PCI DSS compliance. Additionally, we provide penetration testing services to test your organization’s network security posture, as well as a web application penetration testing as a service (PTaaS) solution to minimize risk and enforce a proactive security approach through continuous identification of risks and remedial outcomes.