VM-07—Application Penetration Testing: Cardholder Data Environment

>Control Description

Organization conducts penetration tests against cardholder data environments (CDE) and includes the following requirements: • testing covers the entire CDE perimeter and critical data systems • testing verifies that CDE perimeter segmentation is operational • testing is performed from both inside and outside the CDE network • testing validates segmentation and scope-reduction controls (e.g., tokenization processes) • network layer penetration tests include components that support network functions as well as operating systems • at the application level, testing provides coverage, at a minimum, against the security testing requirements defined in VM-05-01 (01) • testing is performed with consideration of threats verified in the last 12 months from external alerts, directives, and advisories defined in VM-06-02 • testing is performed with consideration of vulnerabilities reported through Organization's PSIRT process within the last 12 months • risk ratings are assigned to discovered vulnerabilities, which are tracked through remediation

Theme

Process

Type

Detective

Policy/Standard

Vulnerability Management Policy

>Implementation Guidance

1. Ensure that a process has been defined and documented for conducting penetration tests for the Card Holder Data Environments. 2. Ensure that the testing covers the following requirements: • testing covers the entire CDE perimeter and critical data systems • testing verifies that CDE perimeter segmentation is operational • testing is performed from both inside and outside the CDE network • testing validates segmentation and scope-reduction controls (e.g., tokenization processes) • network layer penetration tests include components that support network functions as well as operating systems • at the application level, testing provides coverage, at a minimum, against the security testing requirements defined in VM-05-01 (01) • testing is performed with consideration of threats verified in the last 12 months from external alerts, directives, and advisories defined in VM-06-02 • testing is performed with consideration of vulnerabilities reported through Organization's PSIRT process within the last 12 months • risk ratings are assigned to discovered vulnerabilities, which are tracked through remediation

>Testing Procedure

1. For PCI in-scope services, obtain and inspect evidence to show that external pen test, internal pen test, and segmentation tests were performed appropriately. 2. Validate the pen test reports documented the below mentioned requirements: • testing covers the entire CDE perimeter and critical data systems • testing verifies that CDE perimeter segmentation is operational • testing is performed from both inside and outside the CDE network • testing validates segmentation and scope-reduction controls (e.g., tokenization processes) • network layer penetration tests include components that support network functions as well as operating systems • at the application level, testing provides coverage, at a minimum, against the security testing requirements defined in VM-05-01 (01) • testing is performed with consideration of threats verified in the last 12 months from external alerts, directives, and advisories defined in VM-06-02 • testing is performed with consideration of vulnerabilities reported through Organization's PSIRT process within the last 12 months • risk ratings are assigned to discovered vulnerabilities, which are tracked through remediation