As a standard that pays a lot of attention to practical activities, the PCI DSS mandates a range of testing activities. We frequently see confusion about what needs to be tested, how and when. At the end of this post is a link to our short guide to all PCI DSS testing requirements.
Some key messages for you:
- Each testing requirement is distinct (i.e. conducting one type of test does not necessarily satisfy another test requirement)
- Watch out for the scope – most tests must be conducted internally and externally
- Tests must be carried out according to the frequency specified in the DSS, and after significant change to the card data environment
- Quarterly ASV scans must be carried out by an ASV company
- Expect your QSA to require evidence that each applicable test has been conducted, plus evidence that significant findings have been addressed
Yes, there’s a lot of testing – but bear in mind that these tests provide you with vital assurance that your PCI controls are functioning correctly and that your organisation is not exposed to high risk vulnerabilities. If there’s something wrong, you need to know sooner rather than later.
Download our free guide covering the PCI DSS Security Testing Requirements