Comparison of PCI DSS 3.2.1 and 4.0 penetration testing requirements

Leave a Comment

The current version 3.2.1 and the newer version 4.0 of the security standard PCI DSS require penetration tests to be performed. The PCI standard establishes detailed requirements a penetration test needs to comply with. In PCI DSS 3.2.1, the requirement is regulated in Requirement 11.3 and in PCI DSS 4.0 in Requirement 11.4.

These requirements are basically identical in both versions 3.2.1 and 4.0:

  • based on industry-accepted penetration testing approaches
  • coverage of entire CDE perimeter and critical systems
  • testing from both inside and outside the network
  • validation of any segmentation and scope-reducting controls
  • testing network-layer and application-layer
  • including review and consideration of threats and vulnerabilities experienced last 12 month
  • perform external, internal and segmentation testing every 12 month and after any significant change
  • service provider only needs to perform segmenation testing every 6 month

There are two topics where both standards diverge, while PCI 4.0 has the more mature version. So PCI 4.0 has a slightly different approach for its requirements on the application layer penetration test:

  • PCI v3.2.1 includes requirement 6.5 for application layer testing to check for:
    • injection flaws (e.g. SQL, LDAP, OS Commant, XPath)
    • buffer overflows
    • insecure crypto storage, insecure communications
    • improper error handling
    • XSS
    • improper access controls
    • CSRF
    • broken authentication and session management
    • also include the current best practices (e.g. OWASP Top 10)
  • PCI v4.0: including requirement 6.2.4 for application layer testing to perform at least:
    • injection attacks (including SQL, LDAP, XPath, command parameters, object fault or injectiontype flaws)
    • attacks on data and data structures (for example manipulating buffers, input data)
    • attacks on cryptography usage
    • attacks on business logic including XSS and CSRF
    • attacks on access control mechanisms

In PCI 4.0 the segmentation test also needs to include confirming the effectiveness of any use of isolation techniques for different security levels (see requirement 2.2.3).

Of course, the applied penetration testing approach needs to include fixing and re-testing any relevant vulnerabilities previously identified independently of the PCI standard’s version.

Leave a Reply

Your email address will not be published. Required fields are marked *