An overview of the changes & enhancements in Requirement 11.3
While PCI DSS has required penetration testing for quite some time, the soon-to-be-mandatory PCI 3.0 has made a few changes to how penetration testing should be done, and where/when it is needed.
Changes and Enhancements to 11.3
11.3, the overall rule that covers the need for penetration testing, has been changed to specify how the tests are performed. In particular, the 3.0 version adds guidelines for creating a methodology for the tests, which QSAs are now required to evaluate as part of a PCI audit. This methodology needs to be based on industry standard approaches and cover the entire Cardholder Data Environment (CDE), specify that tests come from both inside and outside the network, and validate any segmentation/scope-reduction controls. The methodology must define application-layer tests to include any of the vulnerabilities listed in 6.5, while also defining network-layer tests to include components that support network functions and operating systems. These new methodologies must also review and consider any threats and vulnerabilities from the year prior to the penetration test, and specify how the results of the tests and remediation activities are obtained.
While that seems like a lot, these requirements do reflect the best practices of penetration testing methodology. While PCI 2.0 did require penetration tests, the methodology for those tests was never specified, leading to many improperly administered tests.
In addition, the internal and external penetration tests that had previously been a part of PCI 2.0 11.3 were split in PCI 3.0 into 11.3.1 and 11.3.2. Though the timing requirements (annual or after significant upgrading) of internal and external tests has not changed, the split into two separate segments allows QSAs to evaluate each test on their own.
11.3.3 seems like a new requirement, but is mostly a rephrasing and clarification of PCI 2.0′s 11.3.b. This rule requires the verification that any identified vulnerabilities found during penetration tests have been addressed by a QSA.
Finally, in the first entirely new section of the PCI penetration testing standard, 11.3.4 requires that if network segmentation is used to isolate the CDE from other parts of the network, penetration tests have to be used to assess whether the segmentation is effective in isolating all out-of-scope systems from in-scope systems. Penetration tests now have to be used annually (or if any significant changes happen to the segmentation methodology) to ensure that the CDE is properly separated from the rest of the network. This new requirement means that any company wishing to be PCI compliant will need to examine their network segmentation strategy carefully and adjust to meet the demands of PCI 3.0.
What does the new 11.3 mean for me?
The new 11.3 is much more complicated than the one found in PCI 2.0, so it’s understandable that readers could feel intimidated by the scope of the new requirement. However, the new 11.3 is built to encourage greater network security, so compliance with the new standards should help make companies more secure and better protect customer information. The methodology requirement is complicated, but the key take away is that the PCI Council is working to eliminate the sort of fly-by-night penetration tests that don’t properly assess the security of a system. Any effective penetration testing personnel should be able to help your company establish and maintain a methodology based on the PCI requirements, and those that cannot are not worth using. 11.3.1 through 11.3.3 are simply clarifications on previously existing PCI requirements, and should not cause you to drastically alter your PCI compliance efforts.
11.3.4 is a big change, but again, one that should hopefully lead to better security postures among PCI-compliant companies. As any penetration tester can tell you, improper network segmentation can be a major vulnerability in any network, allowing attackers to gain incredible amounts of access, often from a single successful entry point. By performing tests on the separation of the CDE from other systems, this requirement is aimed at limiting the success of any attacker hoping to get important confidential data from improper segmentation. For many companies working towards PCI compliance, 11.3.4 may require some significant work to properly implement and test their network segmentation, as the segmentation for each company will be different.
While PCI 3.0’s changes in penetration testing are significant, the good news for companies seeking compliance is that the requirements are currently recommendations only. However, as of July 15th, 2015, 11.3 becomes a requirement, giving companies six months to prepare their methodologies and segmentations.