WithPCI Logo
WithPCI.com

11.4.3 External penetration testing is performed:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

11.4.3 External penetration testing is performed:

  • Per the entity's defined methodology
  • At least once every 12 months
  • After any significant infrastructure or application upgrade or change
  • By a qualified internal resource or qualified external third party
  • Organizational independence of the tester exists (not required to be a QSA or ASV)

Customized Approach Objective

External system defenses are verified by technical testing according to the entity's defined methodology as frequently as needed to address evolving and new attacks and threats, and to ensure that significant changes do not introduce unknown vulnerabilities.

Defined Approach Testing Procedures

11.4.3.a Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed according to all elements specified in this requirement.

11.4.3.b Interview personnel to verify that the external penetration test was performed by a qualified internal resource or qualified external third party and that organizational independence of the tester exists (not required to be a QSA or ASV).

Purpose

Vulnerabilities in systems that face the Internet are a primary target for attackers and can lead to compromise of the entity's network and data. The purpose of penetration testing is to identify and exploit vulnerabilities that may exist in the entity's external-facing systems and networks. This helps the entity to determine whether its security controls are sufficient to prevent unauthorized access attempts.

A penetration test that finds nothing is typically indicative of shortcomings of the penetration tester, rather than being a positive reflection of the security posture of the entity.

Good Practice

Some considerations when choosing a qualified resource to perform penetration testing include:

  • Specific penetration testing certifications, which may be an indication of the tester's skill level and competence.
  • Prior experience conducting penetration testing—for example, the number of years of experience, and the type and scope of prior engagements can help confirm whether the tester's experience is appropriate for the needs of the engagement.

Further Information

Refer to the Information Supplement: Penetration Testing Guidance on the PCI SSC website for additional guidance.

purpose

Ensure all IDS/IPS alerts are responded to promptly.

compliance strategies

  • Incident response playbooks
  • Alert escalation

typical policies

  • IDS/IPS Alert Handling Procedures

common pitfalls

  • No response to alerts
  • Delayed incident handling

type

Process Control

difficulty

Moderate

key risks

  • Uncontained security incidents

recommendations

  • Automate alert escalation and tracking

Eligible SAQ

  • SAQ-A-EP
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy