A3.2.5.1 Data discovery methods are confirmed as follows:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Effectiveness of methods is tested.
Methods are able to discover cleartext PAN on all types of system components and file formats in use.
The effectiveness of data-discovery methods is confirmed at least once every 12 months.

PCI DSS Reference: Scope of PCI DSS Requirements

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.5.1.a Interview personnel and review documentation to verify:

The entity has a process in place to test the effectiveness of methods used for data discovery.
The process includes verifying the methods are able to discover cleartext PAN on all types of system components and file formats in use.

A3.2.5.1.b Examine the results of effectiveness tests to verify that the effectiveness of data-discovery methods is confirmed at least once every 12 months.

Purpose

A process to test the effectiveness of the methods used for data discovery ensures the completeness and accuracy of account data detection.

Good Practice

For completeness, system components in the in-scope networks, and systems in out-of-scope networks, should be included in the data-discovery process.

The data-discovery process should be effective on all operating systems and platforms in use. Accuracy can be tested by placing test PANs on system components and file formats in use and confirming that the data-discovery method detected the test PANs.

purpose

Designated Entities must perform penetration testing after significant changes.

compliance strategies

Change-driven penetration testing
Test documentation

typical policies

Penetration Testing Policy

common pitfalls

Missed tests after changes

type

Technical/Process Control

difficulty

High

key risks

Unidentified vulnerabilities after changes

recommendations

Automate test scheduling after changes