Skip to main content

πŸ’Ό 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity.

Description​

Includes:

  • Industry-accepted penetration testing approaches.
  • Coverage for the entire CDE perimeter and critical systems.
  • Testing from both inside and outside the network.
  • Testing to validate any segmentation and scope-reduction controls.
  • Application-layer penetration testing to identify, at a minimum, the vulnerabilities listed in Requirement 6.2.4.
  • Network-layer penetration tests that encompass all components that support network functions as well as operating systems.
  • Review and consideration of threats and vulnerabilities experienced in the last 12 months.
  • Documented approach to assessing and addressing the risk posed by exploitable vulnerabilities and security weaknesses found during penetration testing.
  • Retention of penetration testing results and remediation activities results for at least 12 months.

Similar​

  • Sections
    • /frameworks/pci-dss-v3.2.1/11/03
    • /frameworks/pci-dss-v4.0.1/11/04/01

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.3 Implement a methodology for penetration testing.4
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity.

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 11.3 Implement a methodology for penetration testing.4
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 11.4.1 A penetration testing methodology is defined, documented, and implemented by the entity.

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags