Version 2.0 of the PCI DSS has clarified their testing expectations by requiring 1) external vulnerability scanning by an ASV quarterly as well as scanning following any significant change (can be performed by internal staff), 2) internal vulnerability scanning quarterly and after significant changes by qualified and independent internal staff or third-parties, 3) annual external penetration testing of applicable application and network layer vulnerabilities, and 4) annual internal penetration testing of applicable application and network layer vulnerabilities.
All penetration testing must be performed by a qualified and independent third-party/internal staff. In addition, all exploitable vulnerabilities must be retested until they are resolved.
“I already perform internal and external vulnerability scanning…is a penetration test really that different?”
Penetration testing is a complementary component to vulnerability scanning in your testing program, not a replacement or competitor. Automated vulnerability scanning is very effective at identifying potential vulnerabilities very quickly. Given the pervasiveness of new vulnerabilities, every organization should be scanning anywhere between daily and quarterly. However, vulnerability scanning only identifies potential vulnerabilities; it does not confirm they actually exist. Only through targeted penetration testing can one validate which vulnerabilities are the biggest risk to your environment and therefore the highest priority to fix. Given the skill set and resources required for a manual penetration test, it is not feasible to perform them as frequently as vulnerability scanning. Nonetheless, this is a critical component of your testing program.