PCI DSS 3.0 New requirements — More demanding penetration testing

  • Team Omega
  • March 11, 2014

One of the high priority requirements of PCI DSS 3.0 is rigorous penetration testing.   The specific controls that relate to this are 11.3 and 11.4.  Retailers have been told to follow a documented set of procedures and guidelines for verification of proper segmentation of cardholder data environment (CDE) from other networks.

Previously, merchants who thought that their CDE had been segmented correctly had not tested to see if appropriate and suitable security controls were in place.  But now, the new PCI DSS 3.0 requirements will have merchants follow a common standard, and Qualified Security Assessors (QSAs) will need to make sure that every one is indeed following the new guidelines and standards.

The costs of doing a proper penetration test will definitely increase and that responsibility falls on the retailers.  However it will also ensure that appropriate measures to protect sensitive data have been taken by the merchants holding that data.

For guidance on penetration testing, call Omega ATC at  636-557-7777.