PCI DSS 11.2 and 11.3

A quick note about PCI DSS compliance and scanning vs. penetration testing and PCI DSS 11.2 and 11.3.  Often (too often) when I’m talking with organizations about their PCI compliance, they respond that they’re already compliant and they already have someone doing their quarterly scanning for them.  That’s great, I say!  Then I ask about their internal/external Penetration Testing.

That often generates dead silence on the other end of the phone.

Yes, organizations already PCI compliant (really compliant) are doing their quarterly internal /external vulnerability scanning and annual internal/external Penetration Testing; or after any significant infrastructure or application upgrade…

If you are scanning using an ASV (Approved Scanning Vendor) that’s great and continue!  You also need to be doing external/internal Penetration Testing, which means working with someone that is trained and qualified to do so.  It doesn’t need to be a QSA (Qualified Security Assessor) or an ASV, but they do need to be qualified.

The Standard states:  11.3.b – Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organization independence of the tester exists.

Penetration tests differ from automated vulnerability scans in that efforts are focused on actually exploiting weaknesses with the intent of gaining access to the environment.

Vulnerability Scanning outlines the vulnerabilities, but Penetration Testing demonstrates how those vulnerabilities can be exploited to gain access.

And, Penetration Testing requires People!  It takes someone trained and qualified, not just an automated scan.  If you’ve ever chatted with a trained Ethical Hacker, like we have on our team, you’ll fully understand the difference.  They have some very creative ways of gaining access.

Nancy Sykora
Sr. Account Executive