PCI penetration testing guide

Things just got real for companies that need to comply with PCI requirements. Not only is PCI v3.2 mandated, the PCI Standards Security Council has issued guidance on using penetration testing as part of vulnerability-management programs.

In April 2016, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 3.2. With the updates came clarification to requirements, additional guidance, and seven additional new requirements. 

To address issues related to cardholder data breaches and protect against existing exploits, PCI DSS v.3.2 includes various changes, most of which are specific to service providers. This includes new penetration testing requirements that now require segmentation testing for Service Providers to now be performed at least every six months or after any significant changes to segmentation controls/methods. In addition, there are several requirements to ensure that service providers are continuously monitoring and maintaining critical security controls throughout the year.