PCI-DSS v3.2.1 Pentesting
Electronic payments continue to be a primary target for hackers across the globe. We see this
firsthand as revealed from systems at our customer sites. To combat this, the Payment Card Industry
Security Standards Council has established Data Security Standards (PCI-DSS) that require periodic
penetration testing of all inscope assets as covered in PCI-DSS Requirement 11.3. This isn’t
the same as a vulnerability scan that you may be required to also perform. PCI penetration
testing is usually restricted to the PCI inscope network segment and closely examines systems that
could potentially access or alter credit card data.
Pentesting standards in use or in transition until March 31, 2024
11.3.1 Perform external penetration testing at least
annually and after any significant infrastructure or application upgrade or modification (such as an
operating system upgrade, a sub-network added to the environment, or a web server added to the
environment).
11.3.2 Perform internal penetration testing at least
annually and after any significant infrastructure or application upgrade or modification (such as an
operating system upgrade, a sub-network added to the environment, or a web server added to the
environment).
11.3.3 Exploitable vulnerabilities found during penetration
testing are corrected, and testing is repeated to verify the corrections.
11.3.4 If segmentation is used to isolate the CDE from other networks,
perform penetration tests at least annually and after any changes to segmentation
controls/methods to verify that the segmentation methods are operational and effective and that they
isolate all out of scope systems from systems in the CDE.
PCI-DSS v4 Pentesting
Raxis provides top tier PCI pentest services designed to meet the PCI-DSS standards while working
within aggressive business timelines. Though we are faster than our competition, we don’t cut
corners. Instead, we’ve stTeamlined our sales process, implemented faster scheduling, and developed
a tried-and-true process for quality reviews. In addition, we include remediation testing with our
PCI pentest package, which means we also provide the report you need to submit to your QSA.
Pentesting standards in use as of March 31, 2022
11.4.1 Define company standards for internal and external penetration
testing and review findings every 12 months.
11.4.2 Perform internal penetration
testing at least annually and after any significant infrastructure or application
upgrade or modification (such as an operating system upgrade, a sub-network added to the
environment, or a web server added to the environment).
11.4.3 Perform external penetration
testing at least annually and after any significant infrastructure or application
upgrade or modification (such as an operating system upgrade, a sub-network added to the
environment, or a web server added to the environment).
11.4.4 Correct any findings from penetration
testing activities as recommended and repeat penetration testing.
11.4.5 If segmentation is used to isolate the
CDE from other networks, perform penetration tests at least annually and after any
changes to segmentation controls/methods to verify that the segmentation methods are operational and
effective and that they isolate all out of scope systems from systems in the CDE.
11.4.6 For service providers, if segmentation
is used to isolate the CDE from other networks, perform penetration tests at least
every six months and after any changes to segmentation controls/methods to verify that the
segmentation methods are operational and effective and that they isolate all out of scope systems
from systems in the CDE.