PCI DSS 11.3 – Penetration testing methodology
Typically, SME’s will organise for an annual external and internal penetration test to be performed by a suitably qualified external organisation (and after any significant infrastructure or application upgrade or modification).
The penetration testing requirements are more comprehensive in PCI v3 than they were in v2, for example, the penetration testing company must test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.
They must also share their penetration testing methodology in use in the provided report. There are many different penetration testing methodologies, such as NIST SP800-115 referenced in the standard. Others include those provided by SANS, CREST, CEH and OSCP.
Some organisations choose to get an internal resource certified by one of these bodies and then complete the required penetration test internally.
In terms of tools that are used, penetration testers typically use the same tools as outlined in 11.2 as well as platforms such as Kali Linux which includes exploitation frameworks such as Metasploit and the Browser Exploitation Framework (BEEF).
For organisations that choose to assign the task of penetration testing to an internal resource, there are many great books and resources on penetration testing including the following:
• Web application hacker’s handbook
• The Hackers Playbook
• Penetration Testing: A Hands-on Introduction to Hacking
• Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
• Metasploit: The Penetration Tester’s Guide
There are also many vulnerable test applications that can be used for learning purposes. A good list of these applications is available here: