[PCI DSS 3.0] 11.3.1 Perform external penetration testing at least annually and after any significant infrastructu

11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).

11.3.1.a Examine the scope of work and results from the most recent external penetration test to verify that penetration testing is performed as follows:
• Per the defined methodology
• At least annually
• After any significant changes to the environment.

11.3.1.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

Penetration testing conducted on a regular basis and after significant changes to the environment is a proactive security measure that helps minimize potential access to the CDE by malicious individuals.
The determination of what constitutes a significant upgrade or modification is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. Performing penetration tests after network upgrades and modifications provides assurance that the controls assumed to be in place are still working effectively after the upgrade or modification.

The PCI-DSS 3.1 Requirements are a great baseline for keeping any merchant more secure and minimizing their risks of data breach. It is urgent that a merchant perform penetration testing on their systems after any changes to operating systems, applications, or when adding or removing computers and devices from their network. This is the top issue that many of our clients who have experienced data breaches have failed to do. The cost for preventative testing like Penetration Testing is pennies compared to the costs incurred in a data breach, not to mention the brand damage that companies experience.

Scott D.
Cyber Security Agency