The Impact of PCI DSS 4.0 on Organizational Penetration Testing Strategies

PCI DSS version 4.0 recently took effect on March 31, 2024, and includes no less than 63 new requirements. This is the first update of the information security standard designed to defend against payment and credit card fraud since the release of PCI DSS v3.2 eight years ago. Like many facets of security industry regulations and standards, the update was driven by the need to ensure that “the [PCI] standard is up to date with emerging threats and technologies and change in the payment industry.” Examples of the changes include new or modified requirements and/or testing procedures or the removal of a requirement. While some requirements are effective immediately, the majority do not come into effect until March 31, 2025, giving businesses a year-long transition period to implement the more challenging aspects.

One notable shift in the updated standards lies in the heightened emphasis on penetration testing, underscoring the necessity for robust security measures. Merchants and processors will be under increased scrutiny to validate that their cardholder environments are entrusted with the appropriate protections to achieve the coveted Report on Compliance (ROC). The new standards place a premium on comprehensive penetration testing methodologies, requiring security vendors to go beyond routine assessments. By aligning with the evolving threat landscape, v4.0 ensures that consumers can trust that cybersecurity measures remain proactive, adaptive and resilient when they see the PCI DSS seal of approval.

Moving from v3.2 to v4.0: Key Pen Testing Requirement Changes

Penetration testing forms a critical aspect of the PCI DSS changes. In terms of updates to requirements around when and how pen testing is performed, in relation to the tools used and the areas covered, the major changes affecting pen testing are:

Adapting Your Annual Penetration Testing Program

Strictly speaking, annual penetration testing will fall under Requirement 11.3. It is important to remember that a security vendor fulfilling requirement 11.3 is not the auditor. The penetration test is one of many artifacts provided to the auditor in the ROC evaluation. This means that an effective penetration testing vendor should uncover any security vulnerabilities that could potentially impact your ROC and give you detailed steps to remediate them so that your Compliance team has a clean sheet to present to their auditor. With PCI v4.0, this includes non-critical/high findings. Merchants/processors must either remediate those medium and low findings or include an analysis that they are being resolved at a frequency according to their risk level.

The list of changes above also features authenticated scans for the internal network. This requirement can add further preparation time to which the application and infrastructure teams, or testing team, may not be accustomed. Another point to note about authentication is the new requirement to implement MFA for all access to the CDE. This, coupled with the new password length requirements, will surely be a key area of focus for penetration testers.

Defining ‘Significant Change’

One final thought is the hot-button topic of what constitutes “significant change.” Who determines that a “significant change” has occurred? This is an important issue because in-scope PCI DSS systems are often only tested annually. Depending on an organization’s development lifecycle, there could be changes to these systems on a regular basis throughout the year. Consequently, leaving 12 months between assessments could pose risks to an organization that has not completed defined “significant change.” It is in this vein, perhaps, that the architects of v4.0 have introduced Requirement 6.4.2. This can be interpreted to refer to “continuous pen testing.” In other words, although a penetration test is required annually, some processes should be in place to ensure that even non-significant changes are assessed. After all, many penetration tests see minor, low-severity risks chained into a high-severity vulnerability.

Next Steps

While organizations have time to implement changes in response to the release of PCI DSS 4.0 and the requirements relating to penetration testing, it is important to take steps now to prepare. This involves an overview of the new requirements and your organization’s current approach to pen testing. As mentioned above, the changes could require a shift in the cadence of testing. While adapting to v4.0 changes may initially appear to present an additional security burden for in-house teams, firms can benefit by viewing it as an opportunity to review their current penetration testing practices and ensure they are maximizing their security investment. By working with a trusted external provider with a proven track record, companies can ensure that their defenses are fully tested, with a comprehensive plan to mitigate any identified issues.

Kroll’s Cyber Risk team has the knowledge and experience to handle the most complex, large-scale pen testing engagements. Our penetration testing services can be scaled and adapted to align with the requirements of the evolving compliance landscape, including those of the PCI DSS.

Discover Our Penetration Testing Services