Overview
Organizations handling credit card data must adhere to the Payment Card Industry Data Security Standard (PCI DSS). Understanding the specifications and what an organization must do specifically to comply with the standard might be challenging. This article will focus on which requirements of the PCI DSS’s criteria require security testing. The Self-Assessment Questionnaire (SAQ), which is frequently where queries regarding the requirements occur, will also be the focus of the article.
Depending on the kind of SAQ a company is finishing, different SAQs have different requirements for security testing.
It is not necessary to perform penetration testing for SAQs A, B, B-IP, C-VT, and P2PE.
However, some security testing is necessary for SAQs A-EP, C, and D.
SAQ A-EP
This SAQ is employed by online retailers whose websites do not collect cardholder data but have an impact on the security of payment transactions. Requirements include:
- External Vulnerability Scans (11.2), which must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV)
- External Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
- Internal Segmentation Validation Testing (11.3.4), which must be performed every six months and after any significant architectural changes are made
SAQ C
This SAQ is used by merchants who do not keep cardholder data on any computer systems and process cardholder data via a point-of-sale system or other payment application system connected to the Internet. Requirements include:
- External vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV)
- Internal vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by a qualified internal resource or independent third-party
- Internal segmentation testing (11.3.4) must be performed every six months and after any significant architectural changes.
SAQ D
Organizations that don’t meet the requirements of the other SAQs or that electronically store cardholder data use this SAQ. Requirements include:
- External vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by an approved scanning vendor (ASV)
- Internal vulnerability scans (11.2) must be performed quarterly and after any significant architectural changes by a qualified internal resource or independent third-party
- External Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
- Internal Penetration Testing (11.3.1), which must be performed yearly and after any significant architectural changes by an independent and qualified internal resource or a qualified third-party
- Internal segmentation testing (11.3.4) must be performed every six months and after any significant architectural changes.
It’s important to note that the above information is not a comprehensive list of all the testing requirements outlined in the PCI DSS. It is also important to consult the official PCI DSS documentation to ensure compliance with all the requirements.
About the Author
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
If you are in need of a PCI-DSS assessment, please use the form below to contact us.