Vulnerability scanning and penetration testing are the ongoing assurance mechanisms that verify the CDE remains defensible against known attack techniques. Scanning identifies vulnerabilities; penetration testing attempts exploitation. Both are required by PCI DSS, and both must be conducted by qualified resources, managed through documented processes, and evidenced with reports that QSAs can review.
Vulnerability Scanning — Internal Program
Internal Scan Requirements
Internal vulnerability scans must cover all in-scope CDE system components — servers, network devices, database systems, and any other IP-addressable component in the CDE. The scan must be performed at least quarterly and after any significant change. All High and Critical vulnerabilities must be remediated before the scan can be considered passing.
Scanner Selection
Common vulnerability scanners for PCI DSS internal scanning: Qualys VM, Tenable Nessus, Rapid7 InsightVM, OpenVAS (open-source). The scanner must be kept updated — both scanner software and vulnerability signature databases must be current at the time of each scan.
Scan Scope and Configuration
Configure the scanner to cover: all IP addresses assigned to CDE systems, all ports (0–65535 — not just well-known ports), and all protocols. Credentialed scans (where the scanner has valid credentials to the scanned systems) provide more complete coverage than non-credentialed scans — they can identify vulnerabilities inside the operating system, not just at the network service layer.
| KEY IDEA | Credentialed scanning vs. non-credentialed scanning is an important distinction for PCI DSS. Non-credentialed scans test what an unauthenticated attacker on the network would see — useful but limited. Credentialed scans test what an attacker with valid credentials would find — including missing patches, insecure service configurations, and local privilege escalation vulnerabilities. QSAs may ask whether internal scans are credentialed. |
ASV External Scanning
ASV Requirements
External vulnerability scans must be performed by an Approved Scanning Vendor (ASV) listed on the PCI SSC's ASV list. The ASV scan tests all internet-facing IP addresses associated with the CDE. The scan must achieve "passing" status — defined as no High or Critical vulnerabilities after remediation and rescanning.
ASV Selection and Engagement
Select an ASV from the PCI SSC's list. Common ASVs: Qualys PCI (ASV division), Rapid7, Tenable.io, Trustwave, ControlScan. Evaluation criteria: experience with your technology stack, responsiveness during remediation cycles, quality of scan reports, and whether they offer dispute resolution support (for false positives).
| ASV Process Step | Timeline | Responsible Party | Key Output |
|---|---|---|---|
| Initial ASV scan | Week 1 of each quarter | ASV | Scan report with finding list |
| Finding review | Week 1–2 | Internal security team | Prioritized remediation list; false positive identification |
| False positive disputes | Within 30 days of scan | Internal team + ASV | Accepted dispute documentation from ASV |
| Vulnerability remediation | Ongoing — High/Critical within 30 days | Systems/DevOps teams | Patch records, configuration change evidence |
| Rescan | After remediation complete | ASV | Passing ASV scan report |
| Passing report submission | Before acquirer deadline | Compliance team | Signed ASV passing scan attestation |
Penetration Testing Program
What PCI DSS Requires
Annual penetration testing of the full CDE — both network and application layers. The test must use a recognized methodology (PTES, OWASP, NIST SP 800-115, or equivalent). It must cover: external network layer (all external-facing systems), internal network layer (internal CDE systems from an insider perspective), application layer (all public-facing web applications that handle CHD), and segmentation verification (confirming out-of-scope systems cannot reach CDE systems).
Penetration Tester Qualifications
PCI DSS requires pen testing by either a qualified internal resource or a qualified third party. Qualification criteria: current penetration testing certifications (OSCP, GPEN, CEH, CRTE), independence from the systems being tested (internal testers must not manage the systems they test), demonstrated experience with the technology stack in scope.
Penetration Test Report Requirements
The penetration test report must document: the test scope (all systems tested), the methodology used, all vulnerabilities discovered (with CVSS scores), the exploitation techniques attempted, the results of exploitation attempts, and recommendations for remediation. All High and Critical findings must be remediated and verified by the tester before the report is considered complete.
Post-Change Penetration Testing
Significant changes to the CDE — new systems, network architecture changes, major application changes — trigger penetration testing of the changed components, even outside the annual cycle.
| IMPORTANT | The distinction between a vulnerability assessment and a penetration test is critical for PCI DSS. A vulnerability assessment identifies and reports vulnerabilities. A penetration test actively attempts to exploit vulnerabilities — chaining together multiple low-risk findings into a high-impact attack. PCI DSS Requirement 11 requires penetration testing, not just vulnerability assessment. A report that only lists CVEs from an automated scanner is not a penetration test report. |
Segmentation Testing
Organizations using network segmentation for scope reduction must test that segmentation annually and after significant changes. The test must verify that out-of-scope systems cannot connect to CDE systems. The segmentation test may be incorporated into the annual penetration test or conducted separately.
| Penetration testing quality in the Indonesian market varies significantly. Bitlion recommends requiring a sample engagement report before contracting a pen testing firm — a good report shows manual exploitation attempts, evidence of chained vulnerabilities, and clear scope documentation. A report that consists primarily of automated scanner output formatted as a penetration test will not satisfy PCI SSC methodology requirements and may fail QSA review. |