PCI DSS (Payment Card Industry Data Security Standard) is a secure framework for dealing with customer credit card information. PCI compliance is to ensure that customer's credit card information is always kept as safe as possible during processing.
PCI compliance is based around 12 major requirements broken into 6 categories.
If a merchant wants to be compliant with PCI the first step is to identify which tier their business belongs to.
Level 1 - Requires annual penetration testing of the CDE (Cardholder data environment) along with quarterly networks scans provided by an ASV (Approved Scanning Vendor) and Semi-annual segmentation testing of internal network.
For Level 2,3, and 4 - There are 6 levels of SAQ (Self-Assessment Questionnaire) that a firm can fall under. To see which one your firm should use please see table below.
SAQ-D requires annual penetration testing of CDE along with quarterly scanning and semi-annual segmentation testing. All other SAQ types only require quarterly scanning.
PCI DSS defines the (CDE) as “the people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data”.
Typically your CDE consists of a Web application, External network and Internal network.
If unsure what is included within your CDE please consult with your QSA.
Cobalt's pentest reports can be used to satisfy the pentesting requirement set by your QSA (Qualified Security Assessor).
An example architecture of CDE below
Effective 1 February, 2018, service providers must perform penetration testing at least every six months to verify segmentation controls.