PCI DSS - Pentesting Blog | Patrick Sauer & Dominik Sauer

Comparison of PCI DSS 3.2.1 and 4.0 penetration testing requirements

2. June 2022 by Patrick Sauer Leave a Comment

The current version 3.2.1 and the newer version 4.0 of the security standard PCI DSS require penetration tests to be performed. The PCI standard establishes detailed requirements a penetration test needs to comply with. In PCI DSS 3.2.1, the requirement is regulated in Requirement 11.3 and in PCI DSS 4.0 in Requirement 11.4. These requirements … [Read more…]

The PCI Council’s response regarding a monitoring-only WAF (Req. 6.6, PCI DSS 3.0)

30. October 2014 by Patrick Sauer Leave a Comment

On July I wrote a blog post about the modified Requirement 6.6 in PCI DSS 3.0. I am not going into the details again, it’s sufficient to say that the new standard allows to operate a WAF in monitoring only mode without blocking requests: 6.6 For public-facing web applications, ensure that either of the following … [Read more…]

PCI DSS 3.0 – Requirement 6.6 (WAF): Monitoring Only – “Is configured to either block web-based attacks, or generate an alert.”

25. July 2014 by Patrick Sauer Leave a Comment

Today I was working on a presentation about PCI DSS 3.0. Since a major client of me is an international payment service provider doing credit card transaction, I am quite familiar with PCI DSS 2.0. I have already read the new Standard a few months ago, but today I stumbled about an interesting sentence in … [Read more…]