PCI DSS v4.0 Vulnerability Scanning and Penetration Testing Requirements

Organizations seeking PCI DSS certification must comply with the new 4.0 version of the standard, which includes vulnerability scan and penetration test requirements. PCI DSS v4.0 vulnerability scanning and penetration testing requirements vary among the different Self-Assessment Questionnaires (SAQs). Some of those requirements have changed from the 3.2.1 version.

Here is a breakdown of the security controls related to vulnerability scanning, penetration testing, and segmentation testing in each SAQ under PCI DSS 4.0.

SAQ-A

SAQ-A applies to e-commerce and mail/telephone-order merchants that have outsourced all their storage, processing, and transmitting of cardholder data.

Vulnerability Scanning

11.3.2 (New for this SAQ in 4.0) External vulnerability scans are performed as follows:

• At least once every three months.
• By PCI SSC Approved Scanning Vendor (ASV).
• Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met.
• Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.

11.3.2.1 (New for this SAQ in 4.0) External vulnerability scans are performed after any significant change as follows:

• Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved.
• Rescans are conducted as needed.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV)

Penetration Testing, Segmentation Testing

SAQ-A does not have any penetration testing or segmentation testing requirements.

SAQ A-EP

SAQ A-EP applies to e-commerce merchants that partially outsource their storage, processing, and transmitting of cardholder data and have websites that do not receive account data but can affect the security of the payment transaction.

Vulnerability Scanning

SAQ A-EP contains the same vulnerability scan requirements as SAQ-A listed above.

Penetration Testing

11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity, and includes: 

• Industry-accepted penetration testing approaches.
• Coverage for the entire CDE perimeter and critical systems. 
• Testing from both inside and outside the network. 
• Testing to validate any segmentation and scope-reduction controls. 
• Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4. 
• Network-layer penetration tests that encompass all components that support network functions as well as operating systems. 
• Review and consideration of threats and vulnerabilities experienced in the last 12 months. 
• Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing. 
• Retention of penetration testing results and remediation activities results for at least 12 months.

11.4.3 External penetration testing is performed:

• Per the entity’s defined methodology.
• At least once every 12 months.
• After any significant infrastructure or application upgrade or change.
• By a qualified internal resource or qualified external third-party.
• Organizational independence of the tester exists (not required to be a QSA or ASV).

11.4.4 Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows:

• In accordance with the entity’s assessment of the risk posed by the security issue as defined in Requirement 6.3.1.
• Penetration testing is repeated to verify the corrections.

Segmentation Testing

11.4.5 If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:

• At least once every 12 months and after any changes to segmentation controls/methods. 
• Covering all segmentation controls/methods in use.
• According to the entity’s defined penetration testing methodology.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
• Performed by a qualified internal resource or qualified external third party.
• Organizational independence of the tester exists (not required to be a QSA or ASV).

SAQ-B

SAQ-B applies to merchants that process account data only via imprint machines or standalone, dial-out terminals. SAQ B merchants may be either brick-and-mortar (card-present) or mail/telephone order (card-not-present) merchants, and do not store account data on any computer system.

Vulnerability scanning, penetration testing, and segmentation testing are not required within SAQ-B.

SAQ B-IP

SAQ B-IP applies to merchants that process account data only via standalone PIN Transaction Security (PTS) point-of-interaction (POI) devices with an IP connection to the payment processor. E-commerce merchants cannot utilize this SAQ.

Vulnerability Scanning, Penetration Testing

The only vulnerability scanning requirement in SAQ B-IP is control 11.3.2, which was detailed above in the SAQ-A section.

There are no penetration testing requirements within SAQ B-IP.

Segmentation Testing

SAQ B-IP does contain control 11.4.5, but slightly modified from other SAQs, it reads:

If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:

• At least once every 12 months and after any changes to segmentation controls/methods. 
• Covering all segmentation controls/methods in use.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
• Performed by a qualified internal resource or qualified external third party.
• Organizational independence of the tester exists (not required to be a QSA or ASV).

SAQ C

SAQ C applies to merchants with payment application systems connected to the Internet that do not store electronic account data. This SAQ does not apply to e-commerce merchants.

Vulnerability Scanning

11.3.1 Internal vulnerability scans are performed as follows:

• At least once every three months.
• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are performed that confirm all high-risk and critical vulnerabilities as noted above) have been resolved.
• Scan tool is kept up to date with the latest vulnerability information.
• Scans are performed by qualified personnel and organizational independence of the tester exists.

11.3.1.3 Internal vulnerability scans are performed after any significant change as follows:

• High-risk and critical vulnerabilities (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are resolved.
• Rescans are conducted as needed.
• Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).

11.3.2 Same as detailed in SAQs above.

11.3.2.1 Same as detailed in SAQs above.

Penetration Testing, Segmentation Testing

SAQ C does not have penetration testing requirements. It does include the same version of the segmentation testing control 11.4.5 found in SAQ B-IP.

SAQ C-VT

SAQ C-VT applies to merchants that process account data only via third-party virtual payment terminal solutions on an isolated computing device connected to the Internet.

Vulnerability scanning, penetration testing, and segmentation testing are not required within SAQ C-VT. Additionally, the segmentation testing requirement was removed from SAQ C-VT for PCI DSS 4.0.

SAQ-D for Merchants

SAQ-D for Merchants applies to businesses that are eligible for an SAQ but don’t meet the criteria for any other SAQ type. Examples include E-commerce merchants and merchants that electronically store cardholder data.

Vulnerability Scanning

11.3.1 Same as described in other SAQs

11.3.1.1 (New to PCI DSS 4.0) All other applicable vulnerabilities (those not ranked as high-risk or critical (per the entity’s vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows:

• Addressed based on the risk defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
• Rescans are conducted as needed.

11.3.1.2 (New to PCI DSS 4.0) Internal vulnerability scans are performed via authenticated scanning as follows: 

• Systems that are unable to accept credentials for authenticated scanning are documented.
• Sufficient privileges are used for those systems that accept credentials for scanning.
• If accounts used for authenticated scanning can be used for interactive login, they are managed in accordance with Requirement 8.2.2.

11.3.1.3 Same as in SAQ C

11.3.2 Same as detailed in SAQs above.

11.3.2.1 Same as detailed in SAQs above.

Penetration Testing, Segmentation Testing

11.4.1 Same as detailed in SAQs above.

11.4.2 Internal penetration testing is performed:

• Per the entity’s defined methodology.
• At least once every 12 months.
• After any significant infrastructure or application upgrade or change.
• By a qualified internal resource or qualified external third-party
• Organizational independence of the tester exists (not required to be a QSA or ASV).

11.4.3 Same as detailed in SAQs above.

11.4.4 Same as detailed in SAQs above.

SAQ-D for Merchants includes the same version of the segmentation testing control 11.4.5 found in SAQ A-EP.

SAQ-D for Service Providers

SAQ for Service Providers is the only SAQ option for service providers.

SAQ for Service Providers has identical vulnerability scan requirements as SAQ-D for Merchants. The penetration testing requirements are also the same as SAQ-D for Merchants except this SAQ includes control 11.4.7 which is new to PCI DSS 4.0 and only applies to multi-tenant service providers, it reads:

“Multi-tenant service providers support their customers for external penetration testing per Requirement 11.4.3 and 11.4.4.“

Segmentation requirements include 11.4.5, which is in several other SAQs and is detailed above. Additionally, SAQ for Service Providers includes control 11.4.6, which states:

If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows:

• At least once every six months and after any changes to segmentation controls/methods. 
• Covering all segmentation controls/methods in use.
• According to the entity’s defined penetration testing methodology.
• Confirming that the segmentation controls/methods are operational and effective, and isolate the CDE from all out-of-scope systems.
• Confirming effectiveness of any use of isolation to separate systems with differing security levels (see Requirement 2.2.3).
• Performed by a qualified internal resource or qualified external third party.
• Organizational independence of the tester exists (not required to be a QSA or ASV).

CompliancePoint is an authorized QSA. We have partnered with organizations across multiple industries to help guide them to a successful PCI DSS certification. Contact us at connect@compliancepoint.com to learn more about our PCI services. Be sure to check out the additional PCI DSS 4.0 content below.

PCI DSS 4.0 Resources

Webinar

Preparing for PCI DSS v4.0 Assessments

Podcasts

The Major Changes in PCI DSS v4.0
Transitioning to PCI DSS v4.0

Blogs

What’s New with PCI DSS v4.0
10 Steps to Prepare for PCI DSS 4.0
PCI DSS v4.0 now Required for all Assessments

The PCI Document Library can be found here.