PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3

Blog Post created by ckirsch on Jul 27, 2011

iStock_000005617705XSmall-toolbox.jpgIf you're accepting or processing credit cards and are therefore subject to PCI DSS, you'll likely be familiar with requirement 11.3, which demands that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". What most companies don't know is that you don't have to hire an external penetration testing consultant - you can carry out the penetration test internally, providing you follow some simple rules:


  • Sufficient qualification: You need be to provide the QSA with evidence that the person conducting the penetration test has the training or experience to do so. A training certificate should be perfect to satisfy this requirement. Rapid7 offers on-site and online Metasploit training courses that help you document the required qualification.
  • No conflict of interest: If you are conducting the penetration test, you must not be part of, or report to, the group that operates the in-PCI-scope network.


During the PCI DSS audit, it will be the QSA who decides whether you have fulfilled these requirements, so make sure you document these two requirements well. Although requirement 11.3 leaves a lot of room for interpretation, internal penetration tests have typically been accepted by QSAs.


If you don't have any penetration testing expertise but would like to start with in-house secuirty testing, I recommend a combination of Metasploit Pro and our 4-hour online Metasploit Pro training. Alternatively, Rapid7 offers external penetration testing services that satisfy PCI requirement 11.3 and external ASV scanning services that help you comply with PCI requirement 11.2.


Update on 5/23/2013:


I've recently received some follow up questions from smaller organizations about this blog post, so I thought the following clarification may be helpful:


PCI is renowned for compartmentalizing requirements based on transaction volumes and methods of acceptance. PCI has supplemental guidance to aid organizations in meeting PCI requirements without significant costs or changes to their business models.


A conflict of interest would mostly by applicable to larger organizations that have a separate security team. Auditors understand that some smaller organizations cannot afford the separation of duties and/or add those layers of complexity to their org chart. In these instances it is perfectly acceptable that someone with the same reporting structure perform the testing. There are hundreds of the organizations that do not have separation of duties to that level because it’s not always feasible.


The requirement on training and experience is more of a liability statement. PCI is a means for the card brands to protect themselves in the event of a breach, where the merchant is responsible for losses rather than the card brands. The card brands want to ensure the individuals performing penetration testing can identify issues that could lead to a breach. Most breaches are result of VERY “low-hanging fruit” (e.g. default credentials). There is no strict certification requirement but rather a recommendation that the security professional is familiar with the PCI requirements and the relevant tools. For example, Rapid7 offers and online seminar for using Metasploit Pro, which is adequate to meet this bar.