How To Interpret PCI DSS 1.2 Application Security Pen-Test Requirements?

Posted on July 02, 2009

I've had some interesting conversations lately with others pen-testers about PCI.  Although familiar with multiple aspects of PCI DSS, I do not consider myself a PCI expert and in this post, I'm seeking to gain clarity around the interpretation of the pen-test requirements.

PCI DSS requires penetration testing of the cardholder environment anually, and when significant changes are made to the environment (e.g. OS upgrades). 

Specifically PCI DSS 1.2 says:

11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
These penetration tests must include the following:

11.3.1 Network-layer penetration tests
11.3.2 Application-layer penetration tests

The testing procedure for Application-layer pen-tests states:

11.3.2 ...For web applications, the tests should include, at a minimum, the vulnerabilities listed in Requirement 6.5.

Turning to section 6.5 we see the OWASP Top 10 Vulnerablities listed.

My question is this: What level of webapp coverage is required for the app pen-test and what is your rationale behind your answer?

As an example, if we limit ourselves to SQL Injection only, does PCI DSS 1.2. require the testing of every field on every input form?

Or to put it another way, what is the current QSA interpretation?