Earlier in this chapter, I mentioned that the PCI DSS comprises 6 goals and 12 requirements. The official PCI DSS v3.2.1 Quick Reference Guide provides a summary of all 12 requirements to be satisfied, and can be downloaded at https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf?agreement=true&time=1535479943356. In this section, we focus on the penetration testing elements of the PCI DSS assessment under Requirement 11: Regularly test security systems and processes, which falls under Goal 5: Regularly Monitoring and Testing Networks.

Requirement 11.3 is based on implementing a penetration testing methodology such as the suggested NIST SP800-115 Technical Guide to Information Security Testing and Assessment. Although published in 2008, NIST SP800-115 provides tried-and-trusted techniques and best practices for scoping and executing penetration tests, and should be used as a guide when considering or creating a methodology for penetration testing.

Requirement 11.3.1 focuses on performing an external penetration test. This should be done annually or after any influential and significant upgrade within the organization, such as the upgrade of servers, backbone applications, switches, routers, firewalls, cloud migrations, or even an upgrade of operating systems within the environment. External penetration testing should be carried out by qualified and experienced personnel or third parties.

Requirement 11.3.2 focuses on internal penetration testing. As with requirement 11.3.1, the internal penetration test should be performed annually and also carried out by a qualified and experienced individual or third party.

Requirement 11.3.3 serves as more of an analytical rather than a technical requirement, in that it involves the analysis of internal and external penetration tests to ensure mitigation of revealed vulnerabilities and exploits.

Requirement 11.4 defines segmentation within the scope of the methodology. When determining the scope of the assessment (as we will see in the following section), it is strongly recommended t in an effort to reduce the scope itself, seeing as not every system within the network or CDE will need to be assessed. This type of network isolation can be done using firewalls and access-control list configurations in routers.