EMV Among the Missing Pieces of PCI DSS 3.0
"Penetration testing has been required in previous PCI DSS versions and is still required with PCI DSS 3.0; the difference is the methodology," Percoco said. Percoco explained that, in the past, there was no clarification about whether card holder data is isolated and segmented away from the rest of an organization's corporate environment. He added that there wasn't a scope requirement for what the penetration environment needed to look like. Percoco said that the more effective way to test an environment is to perform a penetration test from outside of where the card holder data is stored, which could even be in the corporate section of an organization's network. "There have been data breaches where the attackers gained access to the corporate environment first and then used that as a base to attack the card holder data," Percoco said. "Simulating that kind of attack is extremely important." The new penetration testing methodology requirement goes into effect July 1, 2015. Percoco said that the reason for the new penetration testing requirement is likely due to the costs involved in executing the new type of testing. "Money is typically the driver around delayed requirements," Percoco said.Trustwave's Rosenberg noted that in the past many merchants most likely just ran a basic scan, called it a penetration test and then checked it off the list for PCI DSS compliance. "The new penetration testing requirements in PCI DSS 3.0 are now also more impactful because it applies to more merchants that had never previously done penetration testing," Rosenberg said. "Namely, any merchant that segments their environment now has to do a penetration test to prove that the segmentation is adequate." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
If an organization is certified to be PCI DSS 3.0 compliant on Jan. 1, they do not need to meet the new penetration testing requirements until they recertify. Any PCI DSS 3.0 certification done on or after July 1 will, in fact, need to comply with the new penetration testing requirements.