Penetration tests should be a part of PCI compliance practices. Many organizations do it once a year at least, while some don’t worry about it at all. However, the PCI DSS standards explicity state that pen tests are a requirement.
The PCI Council has released a supplementary information package specifically addressing this requirement and also posting guidelines. PCI requirement 11.3 addresses some specifics for this test. “Penetration testing should include network and application layer testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network”.
It need not be a QSA who performs the penetration tests. It can be done internally by a knowledgeable team unrelated to the environments being tested.
Documentation of processes and results will be most beneficial to the organization. Also, any vulnerabilities identified need to be addressed immediately, otherwise it defeats the purpose. The scope for the testing should be the cardholder data environment and the systems and networks associated with the environment.
For details, please refer to the PCI DSS requirements document posted on their site.
