The objective of this information supplement is to update and replace PCI SSC’s original penetration testing information supplement titled “Payment Card Industry Data Security Standard (PCI DSS) Requirement 11.3 Penetration Testing” published in 2008. This information supplement has additional guidance to what is in PCI DSS and is written as general penetration testing guidelines that are intended to extend into future versions of PCI DSS.
The guidance focuses on the following:
Penetration Testing Components: Understanding of the different components that make up
a penetration test and how this differs from a vulnerability scan including scope, application and network layer testing, segmentation checks, and social engineering.
Qualifications of a Penetration Tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
Penetration Testing Methodologies: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement.
Penetration Testing Reporting Guidelines: Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included.
The information in this document is intended as supplemental guidance and does not supersede, replace, or extend PCI DSS requirements. While all references made in this document are to PCI DSS version 3.0, the general principles and practices offered here may be applied to any version of PCI DSS.
more here...............https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
The guidance focuses on the following:
Penetration Testing Components: Understanding of the different components that make up
a penetration test and how this differs from a vulnerability scan including scope, application and network layer testing, segmentation checks, and social engineering.
Qualifications of a Penetration Tester: Determining the qualifications of a penetration tester, whether internal or external, through their past experience and certifications.
Penetration Testing Methodologies: Detailed information related to the three primary parts of a penetration test: pre-engagement, engagement, and post-engagement.
Penetration Testing Reporting Guidelines: Guidance for developing a comprehensive penetration test report that includes the necessary information to document the test as well as a checklist that can be used by the organization or the assessor to verify whether the necessary content is included.
The information in this document is intended as supplemental guidance and does not supersede, replace, or extend PCI DSS requirements. While all references made in this document are to PCI DSS version 3.0, the general principles and practices offered here may be applied to any version of PCI DSS.
more here...............https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf