{"id":3289,"date":"2022-06-02T10:48:58","date_gmt":"2022-06-02T08:48:58","guid":{"rendered":"https:\/\/security.sauer.ninja\/?p=3289"},"modified":"2022-06-10T10:03:13","modified_gmt":"2022-06-10T08:03:13","slug":"comparison-of-pci-dss-3-2-1-and-4-0-penetration-testing-requirements","status":"publish","type":"post","link":"https:\/\/security.sauer.ninja\/en\/pci-dss\/comparison-of-pci-dss-3-2-1-and-4-0-penetration-testing-requirements\/","title":{"rendered":"Comparison of PCI DSS 3.2.1 and 4.0 penetration testing requirements"},"content":{"rendered":"\n<p>The current version 3.2.1 and the newer version 4.0 of the security standard PCI DSS  require penetration tests to be performed. The PCI standard establishes detailed requirements a penetration test needs to comply with. In PCI DSS 3.2.1, the requirement is regulated in Requirement 11.3 and in PCI DSS 4.0 in Requirement 11.4.<\/p>\n\n\n\n<p>These requirements are basically identical in both versions 3.2.1 and 4.0:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>based on industry-accepted penetration testing approaches<\/li><li>coverage of entire CDE perimeter and critical systems<\/li><li>testing from both inside and outside the network<\/li><li>validation of any segmentation and scope-reducting controls<\/li><li>testing network-layer and application-layer<\/li><li>including review and consideration of threats and vulnerabilities experienced last 12 month<\/li><li>perform external, internal and segmentation testing every 12 month and after any significant change<\/li><li>service provider only needs to perform segmenation testing every 6 month<\/li><\/ul>\n\n\n\n<p>There are two topics where both standards diverge, while PCI 4.0 has the more mature version. So PCI 4.0 has a slightly different approach for its requirements on the application layer penetration test:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>PCI v3.2.1 includes requirement 6.5 for application layer testing to check for:<ul><li>injection flaws (e.g. SQL, LDAP, OS Commant, XPath)<\/li><\/ul><ul><li>buffer overflows<\/li><li>insecure crypto storage, insecure communications<\/li><li>improper error handling<\/li><li>XSS<\/li><li>improper access controls<\/li><li>CSRF<\/li><li>broken authentication and session management<\/li><li>also include the current best practices (e.g. OWASP Top 10)<\/li><\/ul><\/li><li>PCI v4.0: including requirement 6.2.4 for application layer testing to perform at least:<ul><li>injection attacks (including SQL, LDAP, XPath, command parameters, object fault or injectiontype flaws)<\/li><\/ul><ul><li>attacks on data and data structures (for example manipulating buffers, input data)<\/li><li>attacks on cryptography usage<\/li><li>attacks on business logic including XSS and CSRF<\/li><li>attacks on access control mechanisms<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>In PCI 4.0 the segmentation test also needs to include confirming the effectiveness of any use of isolation techniques for different security levels (see requirement 2.2.3).<\/p>\n\n\n\n<p>Of course, the applied penetration testing approach needs to include fixing and re-testing any relevant vulnerabilities previously identified independently of the PCI standard&#8217;s version.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The current version 3.2.1 and the newer version 4.0 of the security standard PCI DSS require penetration tests to be performed. The PCI standard establishes detailed requirements a penetration test needs to comply with. In PCI DSS 3.2.1, the requirement is regulated in Requirement 11.3 and in PCI DSS 4.0 in Requirement 11.4. These requirements &#8230; <span class=\"more\"><a class=\"more-link\" href=\"https:\/\/security.sauer.ninja\/en\/pci-dss\/comparison-of-pci-dss-3-2-1-and-4-0-penetration-testing-requirements\/\">[Read more&#8230;]<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,215],"tags":[271,276,277],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-psauer","4":"post-3289","6":"format-standard","7":"category-pci-dss","8":"category-pcidss","9":"post_tag-owasp-top-10","10":"post_tag-pci-dss-3-2-1","11":"post_tag-pci-dss-4-0"},"_links":{"self":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/3289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/comments?post=3289"}],"version-history":[{"count":7,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/3289\/revisions"}],"predecessor-version":[{"id":3296,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/posts\/3289\/revisions\/3296"}],"wp:attachment":[{"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/media?parent=3289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/categories?post=3289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/security.sauer.ninja\/en\/wp-json\/wp\/v2\/tags?post=3289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}